GHSA-9m6p-x4h2-6frq: Argo CD vulnerable to a Denial of Service via malicious jqPathExpressions in ignoreDifferences

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2024-32476

Argo CD vulnerable to a Denial of Service via malicious jqPathExpressions in ignoreDifferences

Moderate severity GitHub Reviewed Published Apr 26, 2024 in argoproj/argo-cd • Updated Apr 26, 2024

Package

gomod github.com/argoproj/argo-cd/v2 (Go)

Affected versions

>= 2.10.0, < 2.10.8

>= 2.9.0, < 2.9.13

< 2.8.17

Patched versions

2.10.8

2.9.13

2.8.17

Impact

DoS vuln via OOM using jq in ignoreDifferences.

ignoreDifferences:
    - group: apps
       kind: Deployment
       jqPathExpressions: 
        - 'until(true == false; [.] + [1])'

Patches

A patch for this vulnerability has been released in the following Argo CD versions:

v2.10.8
v2.9.13
v2.8.17

For more information

If you have any questions or comments about this advisory:

Open an issue in the Argo CD issue tracker or discussions
Join us on Slack in channel #argo-cd

Credits
This vulnerability was found & reported by @crenshaw-dev (Michael Crenshaw)

The Argo team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue

References

• GHSA-9m6p-x4h2-6frq
• argoproj/argo-cd@7893979
• argoproj/argo-cd@9e5cc5a
• argoproj/argo-cd@e2df731

Published to the GitHub Advisory Database

Apr 26, 2024

Last updated

Apr 26, 2024