Bug 2096283 (CVE-2022-31016) - CVE-2022-31016 argocd: vulnerable to an uncontrolled memory consumption bug
Summary: CVE-2022-31016 argocd: vulnerable to an uncontrolled memory consumption bug
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-31016
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2096259
TreeView+ depends on / blocked
 
Reported: 2022-06-13 12:32 UTC by Rohit Keshri
Modified: 2022-09-26 18:16 UTC (History)
2 users (show)

Fixed In Version: ArgoCD 2.1.16, ArgoCD 2.2.10, ArgoCD 2.3.5, ArgoCD 2.4.1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in ArgoCD, which is vulnerable to an uncontrolled memory consumption bug. A crafted manifest file can lead the ArgoCD's repo-server component to crash, causing a denial of service. The attacker must be an authenticated user to exploit this vulnerability.
Clone Of:
Environment:
Last Closed: 2022-06-28 11:37:45 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:5152 0 None None None 2022-06-22 04:17:55 UTC
Red Hat Product Errata RHSA-2022:5153 0 None None None 2022-06-23 09:07:55 UTC
Red Hat Product Errata RHSA-2022:5187 0 None None None 2022-06-24 21:07:12 UTC
Red Hat Product Errata RHSA-2022:5192 0 None None None 2022-06-24 20:14:11 UTC

Description Rohit Keshri 2022-06-13 12:32:03 UTC 
All versions of Argo CD starting with v0.7.0 are vulnerable to an uncontrolled memory consumption bug, allowing an authorized malicious user to crash the repo-server
<https://argo-cd.readthedocs.io/en/stable/operator-manual/architecture/#repository-server> service. The repo-server is a critical component of Argo CD, so crashing the repo-server effectively denies core Argo CD services (such as syncing Application updates).

To achieve denial of service, the attacker must be an authenticated Argo CD user authorized to deploy Applications from a repository which contains (or can be made to contain) a large file.

<https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhqp-vf4w-rpwq>
Comment 5 errata-xmlrpc 2022-06-22 04:17:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.5

Via RHSA-2022:5152 https://access.redhat.com/errata/RHSA-2022:5152
Comment 6 errata-xmlrpc 2022-06-23 09:07:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.4

Via RHSA-2022:5153 https://access.redhat.com/errata/RHSA-2022:5153
Comment 7 errata-xmlrpc 2022-06-24 20:14:10 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.3

Via RHSA-2022:5192 https://access.redhat.com/errata/RHSA-2022:5192
Comment 8 errata-xmlrpc 2022-06-24 21:07:10 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.3

Via RHSA-2022:5187 https://access.redhat.com/errata/RHSA-2022:5187
Comment 9 Product Security DevOps Team 2022-06-28 11:37:43 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-31016
Note You need to log in before you can comment on or make changes to this bug.