Bug 2096283 (CVE-2022-31016)

Summary: CVE-2022-31016 argocd: vulnerable to an uncontrolled memory consumption bug
Product: [Other] Security Response Reporter: Rohit Keshri <rkeshri>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: scorneli, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ArgoCD 2.1.16, ArgoCD 2.2.10, ArgoCD 2.3.5, ArgoCD 2.4.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in ArgoCD, which is vulnerable to an uncontrolled memory consumption bug. A crafted manifest file can lead the ArgoCD's repo-server component to crash, causing a denial of service. The attacker must be an authenticated user to exploit this vulnerability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-06-28 11:37:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2096259    

Description Rohit Keshri 2022-06-13 12:32:03 UTC 
All versions of Argo CD starting with v0.7.0 are vulnerable to an uncontrolled memory consumption bug, allowing an authorized malicious user to crash the repo-server
<https://argo-cd.readthedocs.io/en/stable/operator-manual/architecture/#repository-server> service. The repo-server is a critical component of Argo CD, so crashing the repo-server effectively denies core Argo CD services (such as syncing Application updates).

To achieve denial of service, the attacker must be an authenticated Argo CD user authorized to deploy Applications from a repository which contains (or can be made to contain) a large file.

<https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhqp-vf4w-rpwq>
Comment 5 errata-xmlrpc 2022-06-22 04:17:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.5

Via RHSA-2022:5152 https://access.redhat.com/errata/RHSA-2022:5152
Comment 6 errata-xmlrpc 2022-06-23 09:07:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.4

Via RHSA-2022:5153 https://access.redhat.com/errata/RHSA-2022:5153
Comment 7 errata-xmlrpc 2022-06-24 20:14:10 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.3

Via RHSA-2022:5192 https://access.redhat.com/errata/RHSA-2022:5192
Comment 8 errata-xmlrpc 2022-06-24 21:07:10 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.3

Via RHSA-2022:5187 https://access.redhat.com/errata/RHSA-2022:5187
Comment 9 Product Security DevOps Team 2022-06-28 11:37:43 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-31016