CVE-2024-21652

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-21652

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-21652.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-21652

Aliases

Related

Published

2024-03-18T18:15:09Z

Modified

2025-01-10T01:59:30.256898Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a chain of vulnerabilities, including a Denial of Service (DoS) flaw and in-memory data storage weakness, to effectively bypass the application's brute force login protection. This is a critical security vulnerability that allows attackers to bypass the brute force login protection mechanism. Not only can they crash the service affecting all users, but they can also make unlimited login attempts, increasing the risk of account compromise. Versions 2.8.13, 2.9.9, and 2.10.4 contain a patch for this issue.

References

https://github.com/argoproj/argo-cd/security/advisories/GHSA-x32m-mvfj-52xv

Affected packages

Git / github.com/argoproj/argo-cd

Affected ranges

Type: GIT
Repo: https://github.com/argoproj/argo-cd
Events: Introduced

9cf0c69bbe70393db40e5755e34715f30179ee09

Fixed

8281b18831b585ccbed840a85fe695eb23f07f62

Affected versions

v2.*

v2.9.0

v2.9.1

v2.9.2

v2.9.3

v2.9.4

v2.9.5

v2.9.6

v2.9.7

v2.9.8