Bug 2270170 (CVE-2024-21652)
Summary: | CVE-2024-21652 argo-cd: Bypassing Brute Force Protection via Application Crash and In-Memory Data Loss | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
Status: | NEW --- | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | amctagga, aveerama, rgarg, shbose, sreber, ubhargav |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | argo-cd 2.10.4, argo-cd 2.9.9, argo-cd 2.8.13 | Doc Type: | If docs needed, set a value |
Doc Text: |
A bypass of brute force protection flaw was found in Argo CD. Since login attempts are stored only in memory, every time the server restarts, that number is lost and unlimited login attempts can be made. It is possible to bypass brute force protections by chaining this issue with a denial of service issue, such as CVE-2024-21661.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2270171 | ||
Bug Blocks: | 2270183 |
Description
Pedro Sampaio
2024-03-18 19:12:37 UTC
This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.11 Via RHSA-2024:1697 https://access.redhat.com/errata/RHSA-2024:1697 This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.10 Via RHSA-2024:1700 https://access.redhat.com/errata/RHSA-2024:1700 This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.12 Red Hat OpenShift GitOps 1.12 - RHEL 9 Via RHSA-2024:1752 https://access.redhat.com/errata/RHSA-2024:1752 This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.12 Red Hat OpenShift GitOps 1.12 - RHEL 9 Via RHSA-2024:1753 https://access.redhat.com/errata/RHSA-2024:1753 |