First published: Thu Aug 31 2023(Updated: )
### Impact All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, the said component extracts a user-controlled tar.gz file without validating the size of its inner files. As a result, a malicious, low-privileged user can send a malicious tar.gz file that exploits this vulnerability to the repo-server, thereby harming the system's functionality and availability. Additionally, the repo-server is susceptible to another vulnerability due to the fact that it does not check the extracted file permissions before attempting to delete them. Consequently, an attacker can craft a malicious tar.gz archive in a way that prevents the deletion of its inner files when the manifest generation process is completed. ### Patches A patch for this vulnerability has been released in the following Argo CD versions: * v2.6.15 * v2.7.14 * v2.8.3 ### Workarounds The only way to completely resolve the issue is to upgrade. #### Mitigations Configure RBAC (Role-Based Access Control) and provide access for configuring applications only to a limited number of administrators. These administrators should utilize trusted and verified Helm charts. ### For more information If you have any questions or comments about this advisory: * Open an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://github.com/argoproj/argo-cd/discussions) * Join us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd ### Credits This vulnerability was found & reported by GE Vernova – Amit Laish. The Argo team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/ArgoCD | <2.6 | 2.6 |
Linuxfoundation Argo Continuous Delivery | >=2.4.0<2.6.15 | |
Linuxfoundation Argo Continuous Delivery | >=2.7.0<2.7.14 | |
Linuxfoundation Argo Continuous Delivery | >=2.8.0<2.8.3 | |
go/github.com/argoproj/argo-cd/v2 | >=2.8.0<2.8.3 | 2.8.3 |
go/github.com/argoproj/argo-cd/v2 | >=2.7.0<2.7.14 | 2.7.14 |
go/github.com/argoproj/argo-cd/v2 | >=2.4.0<2.6.15 | 2.6.15 |
Argoproj Argo Cd | >=2.4.0<2.6.15 | |
Argoproj Argo Cd | >=2.7.0<2.7.14 | |
Argoproj Argo Cd | >=2.8.0<2.8.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-40584 is a vulnerability in the ArgoCD repo-server component that allows for a Denial-of-Service attack.
The impact of CVE-2023-40584 is a Denial-of-Service attack vector.
All versions of ArgoCD starting from v2.4 up to, but not including, v2.6.
To fix CVE-2023-40584, upgrade ArgoCD to version 2.6 or higher.
You can find more information about CVE-2023-40584 at the following references: [Link 1](https://access.redhat.com/errata/RHSA-2023:5029), [Link 2](https://access.redhat.com/errata/RHSA-2023:5030), [Link 3](https://bugzilla.redhat.com/show_bug.cgi?id=2236530).