CVE-2023-40584: Denial of Service to Argo CD repo-server

First published: Thu Aug 31 2023(Updated: )

### Impact All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, the said component extracts a user-controlled tar.gz file without validating the size of its inner files. As a result, a malicious, low-privileged user can send a malicious tar.gz file that exploits this vulnerability to the repo-server, thereby harming the system's functionality and availability. Additionally, the repo-server is susceptible to another vulnerability due to the fact that it does not check the extracted file permissions before attempting to delete them. Consequently, an attacker can craft a malicious tar.gz archive in a way that prevents the deletion of its inner files when the manifest generation process is completed. ### Patches A patch for this vulnerability has been released in the following Argo CD versions: * v2.6.15 * v2.7.14 * v2.8.3 ### Workarounds The only way to completely resolve the issue is to upgrade. #### Mitigations Configure RBAC (Role-Based Access Control) and provide access for configuring applications only to a limited number of administrators. These administrators should utilize trusted and verified Helm charts. ### For more information If you have any questions or comments about this advisory: * Open an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://github.com/argoproj/argo-cd/discussions) * Join us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd ### Credits This vulnerability was found & reported by GE Vernova – Amit Laish. The Argo team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue

Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/redhat-bugzilla
• alias/CVE-2023-40584
• collector/nvd-index
• collector/nvd-cve
• collector/github-advisory-latest
• alias/GHSA-g687-f2gx-6wm8
• collector/github-advisory
• agent/type
• agent/first-publish-date
• agent/softwarecombine
• collector/mitre-cve
• source/MITRE
• agent/severity
• agent/title
• agent/last-modified-date
• agent/weakness
• agent/references
• agent/remedy
• agent/author
• agent/description
• agent/event
• agent/tags
• collector/nvd-api
• source/NVD
• agent/software-canonical-lookup
• package-manager/redhat
• vendor/linuxfoundation
• canonical/linuxfoundation argo continuous delivery
• version/linuxfoundation argo continuous delivery/2.4.0
• version/linuxfoundation argo continuous delivery/2.7.0
• version/linuxfoundation argo continuous delivery/2.8.0
• package-manager/go
• vendor/argoproj
• canonical/argoproj argo cd
• version/argoproj argo cd/2.4.0
• version/argoproj argo cd/2.7.0
• version/argoproj argo cd/2.8.0