Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-9m6p-x4h2-6frq: Argo CD vulnerable to a Denial of Service via malicious jqPathExpressions in ignoreDifferences

Impact

DoS vuln via OOM using jq in ignoreDifferences.

ignoreDifferences:
    - group: apps
       kind: Deployment
       jqPathExpressions: 
        - 'until(true == false; [.] + [1])'

Patches

A patch for this vulnerability has been released in the following Argo CD versions:

v2.10.8 v2.9.13 v2.8.17

For more information

If you have any questions or comments about this advisory:

Open an issue in the Argo CD issue tracker or discussions Join us on Slack in channel #argo-cd

Credits This vulnerability was found & reported by @crenshaw-dev (Michael Crenshaw)

The Argo team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue

ghsa
#vulnerability#dos#git
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2024-32476

Argo CD vulnerable to a Denial of Service via malicious jqPathExpressions in ignoreDifferences

Moderate severity GitHub Reviewed Published Apr 26, 2024 in argoproj/argo-cd • Updated Apr 26, 2024

Package

gomod github.com/argoproj/argo-cd/v2 (Go)

Affected versions

>= 2.10.0, < 2.10.8

>= 2.9.0, < 2.9.13

< 2.8.17

Patched versions

2.10.8

2.9.13

2.8.17

Impact

DoS vuln via OOM using jq in ignoreDifferences.

ignoreDifferences:
    - group: apps
       kind: Deployment
       jqPathExpressions: 
        - 'until(true == false; [.] + [1])'

Patches

A patch for this vulnerability has been released in the following Argo CD versions:

v2.10.8
v2.9.13
v2.8.17

For more information

If you have any questions or comments about this advisory:

Open an issue in the Argo CD issue tracker or discussions
Join us on Slack in channel #argo-cd

Credits
This vulnerability was found & reported by @crenshaw-dev (Michael Crenshaw)

The Argo team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue

References

  • GHSA-9m6p-x4h2-6frq
  • argoproj/argo-cd@7893979
  • argoproj/argo-cd@9e5cc5a
  • argoproj/argo-cd@e2df731

Published to the GitHub Advisory Database

Apr 26, 2024

Last updated

Apr 26, 2024

ghsa: Latest News

GHSA-x52f-h5g4-8qv5: Marp Core allows XSS by improper neutralization of HTML sanitization