2270170 – (CVE-2024-21652) CVE-2024-21652 argo-cd: Bypassing Brute Force Protection via Application Crash and In-Memory Data Loss

Bug 2270170 (CVE-2024-21652) - CVE-2024-21652 argo-cd: Bypassing Brute Force Protection via Application Crash and In-Memory Data Loss

Summary: CVE-2024-21652 argo-cd: Bypassing Brute Force Protection via Application Cras...

Keywords:
Status:	NEW
Alias:	CVE-2024-21652
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2270171
Blocks:	2270183
TreeView+	depends on / blocked

Reported:	2024-03-18 19:12 UTC by Pedro Sampaio
Modified:	2024-04-10 12:42 UTC (History)
CC List:	6 users (show)
Fixed In Version:	argo-cd 2.10.4, argo-cd 2.9.9, argo-cd 2.8.13
Doc Type:	If docs needed, set a value
Doc Text:	A bypass of brute force protection flaw was found in Argo CD. Since login attempts are stored only in memory, every time the server restarts, that number is lost and unlimited login attempts can be made. It is possible to bypass brute force protections by chaining this issue with a denial of service issue, such as CVE-2024-21661.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2024:1697	None	None	None	2024-04-08 13:36:21 UTC
Red Hat Product Errata	RHSA-2024:1700	None	None	None	2024-04-08 16:37:17 UTC
Red Hat Product Errata	RHSA-2024:1752	None	None	None	2024-04-10 12:18:00 UTC
Red Hat Product Errata	RHSA-2024:1753	None	None	None	2024-04-10 12:42:04 UTC

Description Pedro Sampaio 2024-03-18 19:12:37 UTC

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a chain of vulnerabilities, including a Denial of Service (DoS) flaw and in-memory data storage weakness, to effectively bypass the application's brute force login protection. This is a critical security vulnerability that allows attackers to bypass the brute force login protection mechanism. Not only can they crash the service affecting all users, but they can also make unlimited login attempts, increasing the risk of account compromise. Versions 2.8.13, 2.9.9, and 2.10.4 contain a patch for this issue.

References:

https://github.com/argoproj/argo-cd/security/advisories/GHSA-x32m-mvfj-52xv

Comment 3 errata-xmlrpc 2024-04-08 13:36:19 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.11

Via RHSA-2024:1697 https://access.redhat.com/errata/RHSA-2024:1697

Comment 4 errata-xmlrpc 2024-04-08 16:37:16 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.10

Via RHSA-2024:1700 https://access.redhat.com/errata/RHSA-2024:1700

Comment 5 errata-xmlrpc 2024-04-10 12:17:59 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.12
  Red Hat OpenShift GitOps 1.12 - RHEL 9

Via RHSA-2024:1752 https://access.redhat.com/errata/RHSA-2024:1752

Comment 6 errata-xmlrpc 2024-04-10 12:42:03 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.12
  Red Hat OpenShift GitOps 1.12 - RHEL 9

Via RHSA-2024:1753 https://access.redhat.com/errata/RHSA-2024:1753

Note You need to log in before you can comment on or make changes to this bug.