Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a chain of vulnerabilities, including a Denial of Service (DoS) flaw and in-memory data storage weakness, to effectively bypass the application's brute force login protection. This is a critical security vulnerability that allows attackers to bypass the brute force login protection mechanism. Not only can they crash the service affecting all users, but they can also make unlimited login attempts, increasing the risk of account compromise. Versions 2.8.13, 2.9.9, and 2.10.4 contain a patch for this issue.
The attacker exploits a vulnerability chain: first triggering a Denial of Service error, which causes service failure and loss of data temporarily stored in memory (in-memory). The loss of this data resets login attempt counters, causing the brute force protection mechanism to stop working. After the service restarts, the attacker can perform unlimited login attempts without the risk of account lockout.
An attacker can take control of user accounts through unlimited brute force attacks on credentials and cause Argo CD service unavailability for all users.
Argo CD should be updated to version 2.8.13, 2.9.9 or 2.10.4, in which patches for this vulnerability have been released.
Argo CD in versions prior to 2.8.13, 2.9.9 and 2.10.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HArgoproj Argo Cd
APPArgoproj< 2.8.132.9.0 – 2.9.9 (bez)2.10.0 – 2.10.4 (bez)
Related vulnerabilities
Argo CD: ujawnienie danych Secret Kubernetes przez endpoint ServerSideDiff
Argo CD: nieuprawniony dostęp do poświadczeń repozytoriów przez API token
XSS w Argo CD — wykonanie akcji w imieniu ofiary via API
Argo CD: nieautoryzowany dostęp do Redis umożliwia privilege escalation
Argo CD: XSS w adnotacjach linków umożliwia przejęcie uprawnień