CVE-2022-31016

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2022-31016

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-31016.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2022-31016

Aliases

Published

2022-06-25T07:40:10Z

Modified

2026-04-26T04:11:11.363491Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Argo CD vulnerable to Uncontrolled Memory Consumption

Details

Argo CD is a declarative continuous deployment for Kubernetes. Argo CD versions v0.7.0 and later are vulnerable to an uncontrolled memory consumption bug, allowing an authorized malicious user to crash the repo-server service, resulting in a Denial of Service. The attacker must be an authenticated Argo CD user authorized to deploy Applications from a repository which contains (or can be made to contain) a large file. The fix for this vulnerability is available in versions 2.3.5, 2.2.10, 2.1.16, and later. There are no known workarounds. Users are recommended to upgrade.

Database specific

{
    "cwe_ids": [
        "CWE-400"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/31xxx/CVE-2022-31016.json"
}

References

Affected packages

Git / github.com/argoproj/argo-cd

Affected ranges

Type

GIT

Repo

https://github.com/argoproj/argo-cd

Events

Introduced

6fc345f555dff62d232fe03bf17b8bf84d7f1b5d

Fixed

903db5fe464032bd5a10bf32fe17639e76634c2a

Introduced

6da92a8e8103ce4145bb0fe2b7e952be79c9ff0a

Fixed

8db0e57b738ff5b0b276031573576fdc3498c04f

Introduced

fe427802293b090f43f91f5839393174df6c3b3a

Fixed

1287d24bfe47bcaa6e791e5ff12fa1c1bf57a442

Introduced

91aefabc5b213a258ddcfe04b8e69bb4a2dd2566

Fixed

52e6025f8b565705025d029e8bed36d6caa5ecf7

Database specific

{
    "source": "CPE_FIELD",
    "extracted_events": [
        {
            "introduced": "0.7.0"
        },
        {
            "fixed": "2.1.16"
        },
        {
            "introduced": "2.2.0"
        },
        {
            "fixed": "2.2.10"
        },
        {
            "introduced": "2.3.0"
        },
        {
            "fixed": "2.3.5"
        },
        {
            "introduced": "2.4.0"
        },
        {
            "fixed": "2.4.1"
        }
    ],
    "cpe": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*"
}

Affected versions

v0.*

v0.7.0

v0.7.1

v0.8.0

v2.*

v2.1.0

v2.1.0-rc1

v2.1.0-rc2

v2.1.0-rc3

v2.1.1

v2.1.10

v2.1.11

v2.1.12

v2.1.13

v2.1.14

v2.1.15

v2.1.2

v2.1.3

v2.1.4

v2.1.5

v2.1.6

v2.1.7

v2.1.8

v2.1.9

v2.2.0

v2.2.1

v2.2.2

v2.2.3

v2.2.4

v2.2.5

v2.2.6

v2.2.7

v2.2.8

v2.2.9

v2.3.0

v2.3.1

v2.3.2

v2.3.3

v2.3.4

v2.4.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-31016.json"