Nadava669

**Name of the Vulnerable Software and Affected Versions** Argo CD versions prior to 2.8.13 Argo CD versions prior to 2.9.9 Argo CD versions prior to 2.10.4 **Description** The issue is related to the mechanism of caching in Argo CD, which is a declarative, GitOps continuous delivery tool for Kubernetes. An attacker can exploit the application's weak cache-based mechanism to bypass the rate limit and brute force protections. This can be done by overflowing the cache, which tracks login attempts for each user and is limited to a `defaultMaxCacheSize` of 1000 entries, by bombarding it with login attempts for different users. This effectively resets the rate limit for the admin account, allowing attackers to perform brute force attacks at an accelerated rate. **Recommendations** For versions prior to 2.8.13, upgrade to version 2.8.13 or later to receive a patch. For versions prior to 2.9.9, upgrade to version 2.9.9 or later to receive a patch. For versions prior to 2.10.4, upgrade to version 2.10.4 or later to receive a patch. As a temporary workaround, consider restricting access to the login functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Argo CD versions prior to 2.8.13 Argo CD versions prior to 2.9.9 Argo CD versions prior to 2.10.4 **Description** The issue arises from a chain of vulnerabilities, including a Denial of Service (DoS) flaw and in-memory data storage weakness, allowing attackers to bypass the application's brute force login protection. This makes the application susceptible to brute force attacks, compromising the security of all user accounts. An attacker can exploit the application's weak cache-based mechanism to overflow the cache by bombarding it with login attempts for different users, thereby pushing out the admin account's failed attempts and effectively resetting the rate limit for that account. The application crashes due to a DoS vulnerability caused by unsafe array modifications in a multi-threaded environment, and the application saves the data of failed login attempts in-memory, without persistent storage, which is lost when the application crashes and restarts, resetting the brute force protections. **Recommendations** For versions prior to 2.8.13, update to version 2.8.13 or later to patch the issue. For versions prior to 2.9.9, update to version 2.9.9 or later to patch the issue. For versions prior to 2.10.4, update to version 2.10.4 or later to patch the issue. As a temporary workaround, consider restricting access to the login functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Argo CD versions prior to 2.8.13 Argo CD versions prior to 2.9.9 Argo CD versions prior to 2.10.4 **Description** The issue arises from unsafe manipulation of an array in a multi-threaded environment, where an array is being modified while it is being iterated over. This is a classic programming error but becomes critically unsafe when executed in a multi-threaded environment. When two threads interact with the same array simultaneously, the application crashes. The vulnerability is rooted in the application's code, specifically in the `expireOldFailedAttempts()` function. Any attacker can crash the application continuously, making it impossible for legitimate users to access the service. The issue is exacerbated because it does not require authentication, widening the pool of potential attackers. **Recommendations** To resolve the issue for versions prior to 2.8.13, update to version 2.8.13 or later. To resolve the issue for versions prior to 2.9.9, update to version 2.9.9 or later. To resolve the issue for versions prior to 2.10.4, update to version 2.10.4 or later. As a temporary workaround, consider disabling the `expireOldFailedAttempts()` function until a patch is available.