CVE-2024-21652

Name of the Vulnerable Software and Affected Versions Argo CD versions prior to 2.8.13 Argo CD versions prior to 2.9.9 Argo CD versions prior to 2.10.4

Description The issue arises from a chain of vulnerabilities, including a Denial of Service (DoS) flaw and in-memory data storage weakness, allowing attackers to bypass the application's brute force login protection. This makes the application susceptible to brute force attacks, compromising the security of all user accounts. An attacker can exploit the application's weak cache-based mechanism to overflow the cache by bombarding it with login attempts for different users, thereby pushing out the admin account's failed attempts and effectively resetting the rate limit for that account. The application crashes due to a DoS vulnerability caused by unsafe array modifications in a multi-threaded environment, and the application saves the data of failed login attempts in-memory, without persistent storage, which is lost when the application crashes and restarts, resetting the brute force protections.

Recommendations For versions prior to 2.8.13, update to version 2.8.13 or later to patch the issue. For versions prior to 2.9.9, update to version 2.9.9 or later to patch the issue. For versions prior to 2.10.4, update to version 2.10.4 or later to patch the issue. As a temporary workaround, consider restricting access to the login functionality to minimize the risk of exploitation.