data/reports/GO-2024-2654.yaml - vulndb - Git at Google

 id: GO-2024-2654
 modules:
     - module: github.com/argoproj/argo-cd/v2
       versions:
         - fixed: 2.8.13
         - introduced: 2.9.0
           fixed: 2.9.9
         - introduced: 2.10.0
           fixed: 2.10.4
       vulnerable_at: 2.10.3
       packages:
         - package: github.com/argoproj/argo-cd/v2/server/application
           symbols:
             - NewHandler
             - newTerminalSession
         - package: github.com/argoproj/argo-cd/v2/util/session
           symbols:
             - expireOldFailedAttempts
             - SessionManager.updateFailureCount
             - SessionManager.getFailureCount
           derived_symbols:
             - SessionManager.VerifyUsernamePassword
 summary: Denial of service in github.com/argoproj/argo-cd/v2
 description: |-
     Application may crash due to concurrent writes, leading to a denial of service.
     An attacker can crash the application continuously, making it impossible for
     legitimate users to access the service. Authentication is not required in the
     attack.
 cves:
     - CVE-2024-21661
 ghsas:
     - GHSA-6v85-wr92-q4p7
 credits:
     - '@nadava669'
     - '@todaywasawesome'
     - '@crenshaw-dev'
     - '@jannfis'
     - '@pasha-codefresh'
 references:
     - fix: https://github.com/argoproj/argo-cd/commit/2a22e19e06aaf6a1e734443043310a66c234e345
     - fix: https://github.com/argoproj/argo-cd/commit/5bbb51ab423f273dda74ab956469843d2db2e208
     - fix: https://github.com/argoproj/argo-cd/commit/ce04dc5c6f6e92033221ec6d96b74403b065ca8b
     - web: https://github.com/argoproj/argo-cd/blob/54601c8fd30b86a4c4b7eb449956264372c8bde0/util/session/sessionmanager.go#L302-L311
	id: GO-2024-2654
	modules:
	- module: github.com/argoproj/argo-cd/v2
	versions:
	- fixed: 2.8.13
	- introduced: 2.9.0
	fixed: 2.9.9
	- introduced: 2.10.0
	fixed: 2.10.4
	vulnerable_at: 2.10.3
	packages:
	- package: github.com/argoproj/argo-cd/v2/server/application
	symbols:
	- NewHandler
	- newTerminalSession
	- package: github.com/argoproj/argo-cd/v2/util/session
	symbols:
	- expireOldFailedAttempts
	- SessionManager.updateFailureCount
	- SessionManager.getFailureCount
	derived_symbols:
	- SessionManager.VerifyUsernamePassword
	summary: Denial of service in github.com/argoproj/argo-cd/v2
	description: \|-
	Application may crash due to concurrent writes, leading to a denial of service.
	An attacker can crash the application continuously, making it impossible for
	legitimate users to access the service. Authentication is not required in the
	attack.
	cves:
	- CVE-2024-21661
	ghsas:
	- GHSA-6v85-wr92-q4p7
	credits:
	- '@nadava669'
	- '@todaywasawesome'
	- '@crenshaw-dev'
	- '@jannfis'
	- '@pasha-codefresh'
	references:
	- fix: https://github.com/argoproj/argo-cd/commit/2a22e19e06aaf6a1e734443043310a66c234e345
	- fix: https://github.com/argoproj/argo-cd/commit/5bbb51ab423f273dda74ab956469843d2db2e208
	- fix: https://github.com/argoproj/argo-cd/commit/ce04dc5c6f6e92033221ec6d96b74403b065ca8b
	- web: https://github.com/argoproj/argo-cd/blob/54601c8fd30b86a4c4b7eb449956264372c8bde0/util/session/sessionmanager.go#L302-L311