Bug 2270182 (CVE-2024-21662)
| Summary: | CVE-2024-21662 argo-cd: Bypassing Rate Limit and Brute Force Protection Using Cache Overflow | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | amctagga, anjoseph, jprabhak, manissin, sreber, wtam |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | argo-cd 2.10.4, argo-cd 2.9.9, argo-cd 2.8.13 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in Argo CD, where the rate limit for login attempts may be bypassed due to an incomplete fix for CVE-2020-8827. The cache-based mechanism is limited to a `defaultMaxCacheSize` of 1000 entries. An attacker can overflow this cache by sending excessive login attempts for different users, thereby pushing out the admin account's failed attempts and effectively resetting the rate limit for that account. This enables attackers to perform brute force attacks at an accelerated rate, especially targeting the default admin account.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2274318 | ||
| Bug Blocks: | 2270183 | ||
|
Description
Pedro Sampaio
2024-03-18 20:08:28 UTC
This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.11 Via RHSA-2024:1697 https://access.redhat.com/errata/RHSA-2024:1697 This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.10 Via RHSA-2024:1700 https://access.redhat.com/errata/RHSA-2024:1700 This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.12 Red Hat OpenShift GitOps 1.12 - RHEL 9 Via RHSA-2024:1752 https://access.redhat.com/errata/RHSA-2024:1752 This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.12 Red Hat OpenShift GitOps 1.12 - RHEL 9 Via RHSA-2024:1753 https://access.redhat.com/errata/RHSA-2024:1753 |