| id: GO-2024-2654 |
| modules: |
| - module: github.com/argoproj/argo-cd/v2 |
| versions: |
| - fixed: 2.8.13 |
| - introduced: 2.9.0 |
| - fixed: 2.9.9 |
| - introduced: 2.10.0 |
| - fixed: 2.10.4 |
| vulnerable_at: 2.10.3 |
| packages: |
| - package: github.com/argoproj/argo-cd/v2/server/application |
| symbols: |
| - NewHandler |
| - newTerminalSession |
| - package: github.com/argoproj/argo-cd/v2/util/session |
| symbols: |
| - expireOldFailedAttempts |
| - SessionManager.updateFailureCount |
| - SessionManager.getFailureCount |
| derived_symbols: |
| - SessionManager.VerifyUsernamePassword |
| summary: Denial of service in github.com/argoproj/argo-cd/v2 |
| description: |- |
| Application may crash due to concurrent writes, leading to a denial of service. |
| An attacker can crash the application continuously, making it impossible for |
| legitimate users to access the service. Authentication is not required in the |
| attack. |
| cves: |
| - CVE-2024-21661 |
| ghsas: |
| - GHSA-6v85-wr92-q4p7 |
| credits: |
| - '@nadava669' |
| - '@todaywasawesome' |
| - '@crenshaw-dev' |
| - '@jannfis' |
| - '@pasha-codefresh' |
| references: |
| - fix: https://github.com/argoproj/argo-cd/commit/2a22e19e06aaf6a1e734443043310a66c234e345 |
| - fix: https://github.com/argoproj/argo-cd/commit/5bbb51ab423f273dda74ab956469843d2db2e208 |
| - fix: https://github.com/argoproj/argo-cd/commit/ce04dc5c6f6e92033221ec6d96b74403b065ca8b |
| - web: https://github.com/argoproj/argo-cd/blob/54601c8fd30b86a4c4b7eb449956264372c8bde0/util/session/sessionmanager.go#L302-L311 |
| review_status: REVIEWED |
