gsd-2022-31016
Vulnerability from gsd
Modified
2023-12-13 01:19
Details
Argo CD is a declarative continuous deployment for Kubernetes. Argo CD versions v0.7.0 and later are vulnerable to an uncontrolled memory consumption bug, allowing an authorized malicious user to crash the repo-server service, resulting in a Denial of Service. The attacker must be an authenticated Argo CD user authorized to deploy Applications from a repository which contains (or can be made to contain) a large file. The fix for this vulnerability is available in versions 2.3.5, 2.2.10, 2.1.16, and later. There are no known workarounds. Users are recommended to upgrade.
Aliases
Aliases
{ GSD: { alias: "CVE-2022-31016", description: "Argo CD is a declarative continuous deployment for Kubernetes. Argo CD versions v0.7.0 and later are vulnerable to an uncontrolled memory consumption bug, allowing an authorized malicious user to crash the repo-server service, resulting in a Denial of Service. The attacker must be an authenticated Argo CD user authorized to deploy Applications from a repository which contains (or can be made to contain) a large file. The fix for this vulnerability is available in versions 2.3.5, 2.2.10, 2.1.16, and later. There are no known workarounds. Users are recommended to upgrade.", id: "GSD-2022-31016", references: [ "https://access.redhat.com/errata/RHSA-2022:5152", "https://access.redhat.com/errata/RHSA-2022:5187", "https://access.redhat.com/errata/RHSA-2022:5192", "https://access.redhat.com/errata/RHSA-2022:5153", ], }, gsd: { metadata: { exploitCode: "unknown", remediation: "unknown", reportConfidence: "confirmed", type: "vulnerability", }, osvSchema: { aliases: [ "CVE-2022-31016", ], details: "Argo CD is a declarative continuous deployment for Kubernetes. Argo CD versions v0.7.0 and later are vulnerable to an uncontrolled memory consumption bug, allowing an authorized malicious user to crash the repo-server service, resulting in a Denial of Service. The attacker must be an authenticated Argo CD user authorized to deploy Applications from a repository which contains (or can be made to contain) a large file. The fix for this vulnerability is available in versions 2.3.5, 2.2.10, 2.1.16, and later. There are no known workarounds. Users are recommended to upgrade.", id: "GSD-2022-31016", modified: "2023-12-13T01:19:17.855398Z", schema_version: "1.4.0", }, }, namespaces: { "cve.org": { CVE_data_meta: { ASSIGNER: "security-advisories@github.com", ID: "CVE-2022-31016", STATE: "PUBLIC", TITLE: "Argo CD vulnerable to Uncontrolled Memory Consumption", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "argo-cd", version: { version_data: [ { version_value: ">= 0.7.0, < 2.1.16", }, { version_value: "> 2.0.0, < 2.2.10", }, { version_value: "> 2.3.0, < 2.3.5", }, ], }, }, ], }, vendor_name: "argoproj", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Argo CD is a declarative continuous deployment for Kubernetes. Argo CD versions v0.7.0 and later are vulnerable to an uncontrolled memory consumption bug, allowing an authorized malicious user to crash the repo-server service, resulting in a Denial of Service. The attacker must be an authenticated Argo CD user authorized to deploy Applications from a repository which contains (or can be made to contain) a large file. The fix for this vulnerability is available in versions 2.3.5, 2.2.10, 2.1.16, and later. There are no known workarounds. Users are recommended to upgrade.", }, ], }, impact: { cvss: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-400: Uncontrolled Resource Consumption", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhqp-vf4w-rpwq", refsource: "CONFIRM", url: "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhqp-vf4w-rpwq", }, ], }, source: { advisory: "GHSA-jhqp-vf4w-rpwq", discovery: "UNKNOWN", }, }, "gitlab.com": { advisories: [ { affected_range: ">=v0.7.0 <=v1.8.7", affected_versions: "All versions starting from 0.7.0 up to 1.8.7", cwe_ids: [ "CWE-1035", "CWE-937", ], date: "2022-06-21", description: "### Impact\n\nAll versions of Argo CD starting with v0.7.0 is vulnerable to an uncontrolled memory consumption bug, allowing an authorized malicious user to crash the [repo-server](https://argo-cd.readthedocs.io/en/stable/operator-manual/architecture/#repository-server) service. The repo-server is a critical component of Argo CD, so crashing the repo-server effectively denies core Argo CD services (such as syncing Application updates).\n\nTo achieve denial of service, the attacker must be an authenticated Argo CD user authorized to deploy Applications from a repository which contains (or can be made to contain) a large file. \n\n### Patches\n\nA patch for this vulnerability has been released in the following Argo CD versions:\n\n* v2.4.1\n* v2.3.5\n* v2.2.10\n* v2.1.16\n\n**The patch introduces a new `reposerver.max.combined.directory.manifests.size` config parameter, which you should tune before upgrading in production.** It caps the maximum total file size of .yaml/.yml/.json files in directory-type (raw manifest) Applications. The default max is `10M` per Application. This max is designed to keep any single app from consuming more than 3G of memory in the repo-server (manifests consume more space in memory than on disk). The 300x ratio assumes a maliciously-crafted manifest file. If you only want to protect against accidental excessive memory use, it is probably safe to use a smaller ratio.\n\nIf your organization uses directory-type Applications with very many manifests or very large manifests then **check the size of those manifests and tune the config parameter before deploying this change to production**. When testing, make sure to do a \"hard refresh\" in either the CLI or UI to test your directory-type App. That will make sure you're using the new max logic instead of relying on cached manifest responses from Redis.\n\n### Workarounds\n\nThere is no workaround besides upgrading.\n\nTo mitigate the issue, carefully limit 1) who can configure repos (determined by [RBAC](https://argo-cd.readthedocs.io/en/stable/getting_started/)), 2) which repos are allowed (determined by [Project](https://argo-cd.readthedocs.io/en/stable/user-guide/projects/) limitations), and 3) who has push access to those repos (determined by your SCM provider configuration).\n\n### Credits\n\nDisclosed by ADA Logics in a security audit of the Argo project sponsored by CNCF and facilitated by OSTIF. Thanks to Adam Korczynski and David Korczynski for their work on the audit.\n\n### For more information\n\n* Open an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://github.com/argoproj/argo-cd/discussions)\n* Join us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd\n", fixed_versions: [ "v2.1.16", ], identifier: "GMS-2022-2556", identifiers: [ "GHSA-jhqp-vf4w-rpwq", "GMS-2022-2556", "CVE-2022-31016", ], not_impacted: "All versions before 0.7.0, all versions after 1.8.7", package_slug: "go/github.com/argoproj/argo-cd", pubdate: "2022-06-21", solution: "Upgrade to version 2.1.16 or above.", title: "DoS through large manifest files in Argo CD", urls: [ "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhqp-vf4w-rpwq", "https://github.com/advisories/GHSA-jhqp-vf4w-rpwq", ], uuid: "4fce7b61-dff5-407f-ba64-cb693d618c15", versions: [ { commit: { sha: "6fc345f555dff62d232fe03bf17b8bf84d7f1b5d", tags: [ "v0.7.0", ], timestamp: "20180728010621", }, number: "v0.7.0", }, { commit: { sha: "eb3d1fb84b9b77cdffd70b14c4f949f1c64a9416", tags: [ "v1.8.7", ], timestamp: "20210303070237", }, number: "v1.8.7", }, { commit: { sha: "903db5fe464032bd5a10bf32fe17639e76634c2a", tags: [ "v2.1.16", ], timestamp: "20220621161926", }, number: "v2.1.16", }, ], }, { affected_range: "<v2.1.16 || >=v2.2.0 <v2.2.10 || >=v2.3.0 <v2.3.5 || =v2.4.0", affected_versions: "All versions before 2.1.16, all versions starting from 2.2.0 before 2.2.10, all versions starting from 2.3.0 before 2.3.5, version 2.4.0", cwe_ids: [ "CWE-1035", "CWE-937", ], date: "2022-06-21", description: "### Impact\n\nAll versions of Argo CD starting with v0.7.0 is vulnerable to an uncontrolled memory consumption bug, allowing an authorized malicious user to crash the [repo-server](https://argo-cd.readthedocs.io/en/stable/operator-manual/architecture/#repository-server) service. The repo-server is a critical component of Argo CD, so crashing the repo-server effectively denies core Argo CD services (such as syncing Application updates).\n\nTo achieve denial of service, the attacker must be an authenticated Argo CD user authorized to deploy Applications from a repository which contains (or can be made to contain) a large file. \n\n### Patches\n\nA patch for this vulnerability has been released in the following Argo CD versions:\n\n* v2.4.1\n* v2.3.5\n* v2.2.10\n* v2.1.16\n\n**The patch introduces a new `reposerver.max.combined.directory.manifests.size` config parameter, which you should tune before upgrading in production.** It caps the maximum total file size of .yaml/.yml/.json files in directory-type (raw manifest) Applications. The default max is `10M` per Application. This max is designed to keep any single app from consuming more than 3G of memory in the repo-server (manifests consume more space in memory than on disk). The 300x ratio assumes a maliciously-crafted manifest file. If you only want to protect against accidental excessive memory use, it is probably safe to use a smaller ratio.\n\nIf your organization uses directory-type Applications with very many manifests or very large manifests then **check the size of those manifests and tune the config parameter before deploying this change to production**. When testing, make sure to do a \"hard refresh\" in either the CLI or UI to test your directory-type App. That will make sure you're using the new max logic instead of relying on cached manifest responses from Redis.\n\n### Workarounds\n\nThere is no workaround besides upgrading.\n\nTo mitigate the issue, carefully limit 1) who can configure repos (determined by [RBAC](https://argo-cd.readthedocs.io/en/stable/getting_started/)), 2) which repos are allowed (determined by [Project](https://argo-cd.readthedocs.io/en/stable/user-guide/projects/) limitations), and 3) who has push access to those repos (determined by your SCM provider configuration).\n\n### Credits\n\nDisclosed by ADA Logics in a security audit of the Argo project sponsored by CNCF and facilitated by OSTIF. Thanks to Adam Korczynski and David Korczynski for their work on the audit.\n\n### For more information\n\n* Open an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://github.com/argoproj/argo-cd/discussions)\n* Join us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd\n", fixed_versions: [ "v2.1.16", "v2.2.10", "v2.3.5", "v2.4.1", ], identifier: "GMS-2022-2560", identifiers: [ "GHSA-jhqp-vf4w-rpwq", "GMS-2022-2560", "CVE-2022-31016", ], not_impacted: "All versions starting from 2.1.16 before 2.2.0, all versions starting from 2.2.10 before 2.3.0, all versions starting from 2.3.5 before 2.4.0, all versions after 2.4.0", package_slug: "go/github.com/argoproj/argo-cd/v2", pubdate: "2022-06-21", solution: "Upgrade to versions 2.1.16, 2.2.10, 2.3.5, 2.4.1 or above.", title: "DoS through large manifest files in Argo CD", urls: [ "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhqp-vf4w-rpwq", "https://github.com/advisories/GHSA-jhqp-vf4w-rpwq", ], uuid: "d30fb9a7-8390-481e-b16b-8a39766f0e74", versions: [ { commit: { sha: "6da92a8e8103ce4145bb0fe2b7e952be79c9ff0a", tags: [ "v2.2.0", ], timestamp: "20211214180104", }, number: "v2.2.0", }, { commit: { sha: "fe427802293b090f43f91f5839393174df6c3b3a", tags: [ "v2.3.0", ], timestamp: "20220306061859", }, number: "v2.3.0", }, { commit: { sha: "91aefabc5b213a258ddcfe04b8e69bb4a2dd2566", tags: [ "stable", "v2.4.0", ], timestamp: "20220610171343", }, number: "v2.4.0", }, { commit: { sha: "903db5fe464032bd5a10bf32fe17639e76634c2a", tags: [ "v2.1.16", ], timestamp: "20220621161926", }, number: "v2.1.16", }, { commit: { sha: "8db0e57b738ff5b0b276031573576fdc3498c04f", tags: [ "v2.2.10", ], timestamp: "20220621162737", }, number: "v2.2.10", }, { commit: { sha: "52e6025f8b565705025d029e8bed36d6caa5ecf7", tags: [ "v2.4.1", ], timestamp: "20220621162747", }, number: "v2.4.1", }, { commit: { sha: "1287d24bfe47bcaa6e791e5ff12fa1c1bf57a442", tags: [ "v2.3.5", ], timestamp: "20220621162823", }, number: "v2.3.5", }, ], }, ], }, "nvd.nist.gov": { configurations: { CVE_data_version: "4.0", nodes: [ { children: [], cpe_match: [ { cpe23Uri: "cpe:2.3:a:linuxfoundation:argo-cd:*:*:*:*:*:*:*:*", cpe_name: [], versionEndExcluding: "2.4.1", versionStartIncluding: "2.4.0", vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:linuxfoundation:argo-cd:*:*:*:*:*:*:*:*", cpe_name: [], versionEndExcluding: "2.1.16", versionStartIncluding: "0.7.0", vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:linuxfoundation:argo-cd:*:*:*:*:*:*:*:*", cpe_name: [], versionEndExcluding: "2.2.10", versionStartIncluding: "2.2.0", vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:linuxfoundation:argo-cd:*:*:*:*:*:*:*:*", cpe_name: [], versionEndExcluding: "2.3.5", versionStartIncluding: "2.3.0", vulnerable: true, }, ], operator: "OR", }, ], }, cve: { CVE_data_meta: { ASSIGNER: "security-advisories@github.com", ID: "CVE-2022-31016", }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "en", value: "Argo CD is a declarative continuous deployment for Kubernetes. Argo CD versions v0.7.0 and later are vulnerable to an uncontrolled memory consumption bug, allowing an authorized malicious user to crash the repo-server service, resulting in a Denial of Service. The attacker must be an authenticated Argo CD user authorized to deploy Applications from a repository which contains (or can be made to contain) a large file. The fix for this vulnerability is available in versions 2.3.5, 2.2.10, 2.1.16, and later. There are no known workarounds. Users are recommended to upgrade.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "en", value: "CWE-770", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhqp-vf4w-rpwq", refsource: "CONFIRM", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhqp-vf4w-rpwq", }, ], }, }, impact: { baseMetricV2: { acInsufInfo: false, cvssV2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "PARTIAL", baseScore: 4, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:S/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, severity: "MEDIUM", userInteractionRequired: false, }, baseMetricV3: { cvssV3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.6, }, }, lastModifiedDate: "2023-07-21T17:09Z", publishedDate: "2022-06-25T08:15Z", }, }, }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.