CRITICAL🇵🇱 Wersja polska

CVE-2024-21652

CVSS 9.8v3.1pub. 2024-03-18upd. 2025-01-09

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a chain of vulnerabilities, including a Denial of Service (DoS) flaw and in-memory data storage weakness, to effectively bypass the application's brute force login protection. This is a critical security vulnerability that allows attackers to bypass the brute force login protection mechanism. Not only can they crash the service affecting all users, but they can also make unlimited login attempts, increasing the risk of account compromise. Versions 2.8.13, 2.9.9, and 2.10.4 contain a patch for this issue.

🤖 AI Analysis
How it works

The attacker exploits a vulnerability chain: first triggering a Denial of Service error, which causes service failure and loss of data temporarily stored in memory (in-memory). The loss of this data resets login attempt counters, causing the brute force protection mechanism to stop working. After the service restarts, the attacker can perform unlimited login attempts without the risk of account lockout.

Impact

An attacker can take control of user accounts through unlimited brute force attacks on credentials and cause Argo CD service unavailability for all users.

Mitigation & patch

Argo CD should be updated to version 2.8.13, 2.9.9 or 2.10.4, in which patches for this vulnerability have been released.

Who is affected

Argo CD in versions prior to 2.8.13, 2.9.9 and 2.10.4

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Argoproj Argo Cd

    APP
    Argoproj
    < 2.8.132.9.0 – 2.9.9 (bez)2.10.0 – 2.10.4 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
DoSContainer
CWE
References

Related vulnerabilities

CVE-2026-42880CRITICAL9.6PL ✓ten sam produkt

Argo CD: ujawnienie danych Secret Kubernetes przez endpoint ServerSideDiff

CVE-2025-55190CRITICAL9.9PL ✓ten sam produkt

Argo CD: nieuprawniony dostęp do poświadczeń repozytoriów przez API token

CVE-2025-47933CRITICAL9.0PL ✓ten sam produkt

XSS w Argo CD — wykonanie akcji w imieniu ofiary via API

CVE-2024-31989CRITICAL9.0PL ✓ten sam produkt

Argo CD: nieautoryzowany dostęp do Redis umożliwia privilege escalation

CVE-2024-28175CRITICAL9.0PL ✓ten sam produkt

Argo CD: XSS w adnotacjach linków umożliwia przejęcie uprawnień