CVE-2024-29893

Name of the Vulnerable Software and Affected Versions Argo CD versions 2.4 through 2.10.2 Argo CD versions 2.4 through 2.9.7 Argo CD versions 2.4 through 2.8.11

Description The issue is related to the loadRepoIndex() function in Argo CD's helm package, which does not limit the size or time while fetching data from a Helm registry. This can lead to a Denial-of-Service attack vector, where the repo server component can be crashed through an out of memory error by pointing it to a malicious Helm registry. If the registry is implemented to push data continuously, the repo server will keep allocating memory until it runs out of it.

Recommendations For versions 2.4 through 2.10.2, update to version 2.10.3 or later. For versions 2.4 through 2.9.7, update to version 2.9.8 or later. For versions 2.4 through 2.8.11, update to version 2.8.12 or later. As a temporary workaround, consider restricting access to the vulnerable loadRepoIndex() function in the Argo CD's helm package until a patch is available.