CVE-2022-31016

Name of the Vulnerable Software and Affected Versions Argo CD versions 0.7.0 and later Argo CD versions prior to 2.1.16 Argo CD versions prior to 2.2.10 Argo CD versions prior to 2.3.5 Argo CD versions prior to 2.4.1

Description The issue is related to an uncontrolled memory consumption bug in Argo CD, allowing an authorized malicious user to crash the repo-server service, resulting in a Denial of Service. The attacker must be an authenticated Argo CD user authorized to deploy Applications from a repository which contains (or can be made to contain) a large file.

Recommendations For versions 0.7.0 and later, upgrade to version 2.1.16 or later. For versions prior to 2.1.16, upgrade to version 2.1.16 or later. For versions prior to 2.2.10, upgrade to version 2.2.10 or later. For versions prior to 2.3.5, upgrade to version 2.3.5 or later. For versions prior to 2.4.1, upgrade to version 2.4.1 or later. As a temporary workaround, consider limiting who can configure repos, which repos are allowed, and who has push access to those repos. After upgrading, tune the reposerver.max.combined.directory.manifests.size config parameter to cap the maximum total file size of .yaml/.yml/.json files in directory-type Applications.