{"url":"http://public2.vulnerablecode.io/api/packages/112456?format=json","purl":"pkg:rpm/redhat/openshift-gitops-argocd-cli@1.12.1-4?arch=el9","type":"rpm","namespace":"redhat","name":"openshift-gitops-argocd-cli","version":"1.12.1-4","qualifiers":{"arch":"el9"},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/85652?format=json","vulnerability_id":"VCID-5wqk-tv5c-mbgn","summary":"Bypassing Brute Force Protection via Application Crash and In-Memory Data Loss\n### Summary\nAn attacker can exploit a chain of vulnerabilities, including a Denial of Service (DoS) flaw and in-memory data storage weakness, to effectively bypass the application's brute force login protection. This makes the application susceptible to brute force attacks, compromising the security of all user accounts.\n\n### Details\nThe issue arises from two main vulnerabilities:\n\n1. The application crashes due to a previously described DoS vulnerability caused by unsafe array modifications in a multi-threaded environment.\n2. The application saves the data of failed login attempts in-memory, without persistent storage. When the application crashes and restarts, this data is lost, resetting the brute force protections.\n\n```go\n// LoginAttempts is a timestamped counter for failed login attempts\n\ntype LoginAttempts struct {  \n// Time of the last failed login LastFailed time.Time `json:\"lastFailed\"` // Number of consecutive login failures FailCount int `json:\"failCount\"`\n\n}\n```\n\nBy chaining these vulnerabilities, an attacker can circumvent the limitations placed on the number of login attempts.\n\n### PoC\n1. Run the provided PoC script.\n2. Observe that the script makes 6 login attempts, one more than the set limit of 5 failed attempts.\n3. This is made possible because the script triggers a server restart via the DoS vulnerability after 5 failed attempts, thus resetting the counter for failed login attempts.\n\n### Impact\nThis is a critical security vulnerability that allows attackers to bypass the brute force login protection mechanism. Not only can they crash the service affecting all users, but they can also make unlimited login attempts, increasing the risk of account compromise.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-21652.json","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-21652.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-21652","reference_id":"","reference_type":"","scores":[{"value":"0.00077","scoring_system":"epss","scoring_elements":"0.22997","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00077","scoring_system":"epss","scoring_elements":"0.22992","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00077","scoring_system":"epss","scoring_elements":"0.23047","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00077","scoring_system":"epss","scoring_elements":"0.23091","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00077","scoring_system":"epss","scoring_elements":"0.23104","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-21652"},{"reference_url":"https://argo-cd.readthedocs.io/en/stable/security_considerations/#cve-2020-8827-insufficient-anti-automationanti-brute-force","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://argo-cd.readthedocs.io/en/stable/security_considerations/#cve-2020-8827-insufficient-anti-automationanti-brute-force"},{"reference_url":"https://github.com/argoproj/argo-cd","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/argoproj/argo-cd"},{"reference_url":"https://github.com/argoproj/argo-cd/commit/17b0df1168a4c535f6f37e95f25ed7cd81e1fa4d","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/argoproj/argo-cd/commit/17b0df1168a4c535f6f37e95f25ed7cd81e1fa4d"},{"reference_url":"https://github.com/argoproj/argo-cd/commit/6e181d72b31522f886a2afa029d5b26d7912ec7b","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/argoproj/argo-cd/commit/6e181d72b31522f886a2afa029d5b26d7912ec7b"},{"reference_url":"https://github.com/argoproj/argo-cd/commit/cebb6538f7944c87ca2fecb5d17f8baacc431456","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/argoproj/argo-cd/commit/cebb6538f7944c87ca2fecb5d17f8baacc431456"},{"reference_url":"https://github.com/argoproj/argo-cd/security/advisories/GHSA-x32m-mvfj-52xv","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-06-07T15:52:24Z/"}],"url":"https://github.com/argoproj/argo-cd/security/advisories/GHSA-x32m-mvfj-52xv"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-21652","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-21652"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2270170","reference_id":"2270170","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2270170"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1697","reference_id":"RHSA-2024:1697","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1697"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1700","reference_id":"RHSA-2024:1700","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1700"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1752","reference_id":"RHSA-2024:1752","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1752"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1753","reference_id":"RHSA-2024:1753","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1753"}],"fixed_packages":[],"aliases":["CVE-2024-21652","GHSA-x32m-mvfj-52xv"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5wqk-tv5c-mbgn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/85417?format=json","vulnerability_id":"VCID-61ns-h57h-6fhc","summary":"Denial of Service (DoS) Vulnerability Due to Unsafe Array Modification in Multi-threaded Environment\n### Summary\nAn attacker can exploit a critical flaw in the application to initiate a Denial of Service (DoS) attack, rendering the application inoperable and affecting all users. The issue arises from unsafe manipulation of an array in a multi-threaded environment.\n\n### Details\nThe vulnerability is rooted in the application's code, where an array is being modified while it is being iterated over. This is a classic programming error but becomes critically unsafe when executed in a multi-threaded environment. When two threads interact with the same array simultaneously, the application crashes.\n\nThe core issue is located in [expireOldFailedAttempts](https://github.com/argoproj/argo-cd/blob/54601c8fd30b86a4c4b7eb449956264372c8bde0/util/session/sessionmanager.go#L302-L311) function:\n```go\nfunc expireOldFailedAttempts(maxAge time.Duration, failures *map[string]LoginAttempts) int {\n\nexpiredCount := 0  \nfor key, attempt := range *failures {\n\nif time.Since(attempt.LastFailed) > maxAge*time.Second { expiredCount += 1  \ndelete(*failures, key) // Vulnerable code\n\n} }\n\nreturn expiredCount }\n```\n\nThe function modifies the array while iterating it which means the code will cause an error and crash the application pod, inspecting the logs just before the crash we can confirm:\n```go\ngoroutine 2032 [running]: github.com/argoproj/argo-cd/v2/util/session.expireOldFailedAttempts(0x12c, 0xc000adecd8)\n\n/go/src/github.com/argoproj/argo-cd/util/session/sessionmanager.go:304 +0x7c github.com/argoproj/argo-cd/v2/util/session.(*SessionManager).updateFailureCount(0xc00035 af50, {0xc001b1f578, 0x11}, 0x1)\n\n/go/src/github.com/argoproj/argo-cd/util/session/sessionmanager.go:320 +0x7f github.com/argoproj/argo-cd/v2/util/session.(*SessionManager).VerifyUsernamePassword(0xc 00035af50, {0xc001b1f578, 0x11}, {0xc000455148, 0x8})\n```\n### PoC\nTo reproduce the vulnerability, you can use the following steps:\n\n1. Launch the application.\n2. Trigger the code path that results in the `expireOldFailedAttempts()` function being called in multiple threads.\n3. In the attached PoC script we are restarting the server in a while loop, causing the application to be unresponsive at all.\n\n### Impact\nThis is a Denial of Service (DoS) vulnerability. Any attacker can crash the application continuously, making it impossible for legitimate users to access the service. The issue is exacerbated because it does not require authentication, widening the pool of potential attackers.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-21661.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-21661.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-21661","reference_id":"","reference_type":"","scores":[{"value":"0.02176","scoring_system":"epss","scoring_elements":"0.84673","published_at":"2026-06-09T12:55:00Z"},{"value":"0.02176","scoring_system":"epss","scoring_elements":"0.8466","published_at":"2026-06-08T12:55:00Z"},{"value":"0.02176","scoring_system":"epss","scoring_elements":"0.84678","published_at":"2026-06-06T12:55:00Z"},{"value":"0.02176","scoring_system":"epss","scoring_elements":"0.84674","published_at":"2026-06-05T12:55:00Z"},{"value":"0.02176","scoring_system":"epss","scoring_elements":"0.84672","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-21661"},{"reference_url":"https://github.com/argoproj/argo-cd","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/argoproj/argo-cd"},{"reference_url":"https://github.com/argoproj/argo-cd/blob/54601c8fd30b86a4c4b7eb449956264372c8bde0/util/session/sessionmanager.go#L302-L311","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-03-19T14:24:28Z/"}],"url":"https://github.com/argoproj/argo-cd/blob/54601c8fd30b86a4c4b7eb449956264372c8bde0/util/session/sessionmanager.go#L302-L311"},{"reference_url":"https://github.com/argoproj/argo-cd/commit/2a22e19e06aaf6a1e734443043310a66c234e345","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-03-19T14:24:28Z/"}],"url":"https://github.com/argoproj/argo-cd/commit/2a22e19e06aaf6a1e734443043310a66c234e345"},{"reference_url":"https://github.com/argoproj/argo-cd/commit/5bbb51ab423f273dda74ab956469843d2db2e208","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-03-19T14:24:28Z/"}],"url":"https://github.com/argoproj/argo-cd/commit/5bbb51ab423f273dda74ab956469843d2db2e208"},{"reference_url":"https://github.com/argoproj/argo-cd/commit/ce04dc5c6f6e92033221ec6d96b74403b065ca8b","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-03-19T14:24:28Z/"}],"url":"https://github.com/argoproj/argo-cd/commit/ce04dc5c6f6e92033221ec6d96b74403b065ca8b"},{"reference_url":"https://github.com/argoproj/argo-cd/security/advisories/GHSA-6v85-wr92-q4p7","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-03-19T14:24:28Z/"}],"url":"https://github.com/argoproj/argo-cd/security/advisories/GHSA-6v85-wr92-q4p7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-21661","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-21661"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2270173","reference_id":"2270173","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2270173"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1697","reference_id":"RHSA-2024:1697","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1697"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1700","reference_id":"RHSA-2024:1700","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1700"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1752","reference_id":"RHSA-2024:1752","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1752"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1753","reference_id":"RHSA-2024:1753","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1753"}],"fixed_packages":[],"aliases":["CVE-2024-21661","GHSA-6v85-wr92-q4p7"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-61ns-h57h-6fhc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/85396?format=json","vulnerability_id":"VCID-csyu-sj6e-vqbf","summary":"Users with `create` but not `override` privileges can perform local sync\n### Impact\n\n\"Local sync\" is an Argo CD feature that allows developers to temporarily override an Application's manifests with locally-defined manifests. Use of the feature should generally be limited to highly-trusted users, since it allows the user to bypass any merge protections in git.\n\nAn improper validation bug allows users who have `create` privileges but not `override` privileges to sync local manifests on app creation. All other restrictions, including AppProject restrictions are still enforced. The only restriction which is _not_ enforced is that the manifests come from some approved git/Helm/OCI source.\n\nThe bug was introduced in 1.2.0-rc1 when the local manifest sync feature was added.\n\n### Patches\n\nThe bug has been patched in the following versions:\n\n* 2.10.3\n* 2.9.8\n* 2.8.12\n\n### Workarounds\n\nTo immediately mitigate the risk of branch protection bypass, remove `applications, create` RBAC access. The only way to eliminate the issue without removing RBAC access is to upgrade to a patched version.\n\nBranch protection rules and review requirements are a great way to enforce security constraints in a GitOps environment, but they should be just one layer in a multi-layered approach. Make sure your AppProject and RBAC restrictions are as thorough as possible to prevent a review bypass vulnerability from permitting excessive damage.\n\n### References\n\n* [Argo CD RBAC documentation](https://argo-cd.readthedocs.io/en/latest/operator-manual/rbac/)\n\n### For more information\n\n* Open an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://github.com/argoproj/argo-cd/discussions)\n* Join us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-50726.json","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-50726.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-50726","reference_id":"","reference_type":"","scores":[{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.07162","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.07141","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.07185","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.07193","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.07199","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-50726"},{"reference_url":"https://argo-cd.readthedocs.io/en/latest/operator-manual/rbac","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-14T15:56:02Z/"}],"url":"https://argo-cd.readthedocs.io/en/latest/operator-manual/rbac"},{"reference_url":"https://github.com/argoproj/argo-cd","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/argoproj/argo-cd"},{"reference_url":"https://github.com/argoproj/argo-cd/commit/3b8f673f06c2d228e01cbc830e5cb57cef008978","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-14T15:56:02Z/"}],"url":"https://github.com/argoproj/argo-cd/commit/3b8f673f06c2d228e01cbc830e5cb57cef008978"},{"reference_url":"https://github.com/argoproj/argo-cd/security/advisories/GHSA-g623-jcgg-mhmm","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-14T15:56:02Z/"}],"url":"https://github.com/argoproj/argo-cd/security/advisories/GHSA-g623-jcgg-mhmm"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-50726","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-50726"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2269479","reference_id":"2269479","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2269479"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1697","reference_id":"RHSA-2024:1697","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1697"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1700","reference_id":"RHSA-2024:1700","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1700"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1752","reference_id":"RHSA-2024:1752","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1752"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1753","reference_id":"RHSA-2024:1753","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1753"}],"fixed_packages":[],"aliases":["CVE-2023-50726","GHSA-g623-jcgg-mhmm"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-csyu-sj6e-vqbf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/85319?format=json","vulnerability_id":"VCID-t2kq-hjt4-9ugp","summary":"ArgoCD's repo server has Uncontrolled Resource Consumption vulnerability\n### Impact\nAll versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically,  it's possible to crash the repo server component through an out of memory error by pointing it to a malicious Helm registry.\nThe loadRepoIndex() function in the ArgoCD's helm package, does not limit the size nor time while fetching the data. It fetches it and creates a byte slice from the retrieved data in one go. If the registry is implemented to push data continuously, the repo server will keep allocating memory until it runs out of it.\n\n### Patches\nA patch for this vulnerability has been released in the following Argo CD versions:\n\nv2.10.5\nv2.9.10\nv2.8.14\n\n### For more information\nIf you have any questions or comments about this advisory:\n\nOpen an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://github.com/argoproj/argo-cd/discussions)\nJoin us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd\n\n\n### Credits\nThis vulnerability was found & reported by Jakub Ciolek\n\nThe Argo team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-29893.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-29893.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-29893","reference_id":"","reference_type":"","scores":[{"value":"0.00821","scoring_system":"epss","scoring_elements":"0.74791","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00821","scoring_system":"epss","scoring_elements":"0.74764","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00821","scoring_system":"epss","scoring_elements":"0.74784","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00821","scoring_system":"epss","scoring_elements":"0.7478","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00821","scoring_system":"epss","scoring_elements":"0.74789","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-29893"},{"reference_url":"https://github.com/argoproj/argo-cd","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/argoproj/argo-cd"},{"reference_url":"https://github.com/argoproj/argo-cd/commit/14f681e3ee7c38731943b98f92277e88a3db109d","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-29T18:59:56Z/"}],"url":"https://github.com/argoproj/argo-cd/commit/14f681e3ee7c38731943b98f92277e88a3db109d"},{"reference_url":"https://github.com/argoproj/argo-cd/commit/36b8a12a38f8d92d55bffc81deed44389bf6eb59","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-29T18:59:56Z/"}],"url":"https://github.com/argoproj/argo-cd/commit/36b8a12a38f8d92d55bffc81deed44389bf6eb59"},{"reference_url":"https://github.com/argoproj/argo-cd/commit/3e5a878f6e30d935fa149723ea2a2e93748fcddd","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-29T18:59:56Z/"}],"url":"https://github.com/argoproj/argo-cd/commit/3e5a878f6e30d935fa149723ea2a2e93748fcddd"},{"reference_url":"https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhwx-mhww-rgc3","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-29T18:59:56Z/"}],"url":"https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhwx-mhww-rgc3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-29893","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-29893"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2272211","reference_id":"2272211","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2272211"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1697","reference_id":"RHSA-2024:1697","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1697"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1700","reference_id":"RHSA-2024:1700","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1700"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1752","reference_id":"RHSA-2024:1752","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1752"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1753","reference_id":"RHSA-2024:1753","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1753"}],"fixed_packages":[],"aliases":["CVE-2024-29893","GHSA-jhwx-mhww-rgc3"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-t2kq-hjt4-9ugp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/85475?format=json","vulnerability_id":"VCID-zdnr-5zat-5ybe","summary":"Bypassing Rate Limit and Brute Force Protection Using Cache Overflow\n### Summary\nAn attacker can effectively bypass the rate limit and brute force protections by exploiting the application's weak cache-based mechanism. This loophole in security can be combined with other vulnerabilities to attack the default admin account. This flaw undermines a previously [patched CVE](https://argo-cd.readthedocs.io/en/stable/security_considerations/#cve-2020-8827-insufficient-anti-automationanti-brute-force) intended to protect against brute-force attacks.\n\n### Details\nThe application's brute force protection relies on a cache mechanism that tracks login attempts for each user. This cache is limited to a `defaultMaxCacheSize` of 1000 entries. An attacker can overflow this cache by bombarding it with login attempts for different users, thereby pushing out the admin account's failed attempts and effectively resetting the rate limit for that account.\n\nThe brute force protection mechanism's code:\n```go\n   if failed && len(failures) >= getMaximumCacheSize() {\n       log.Warnf(\"Session cache size exceeds %d entries, removing random entry\",\n\ngetMaximumCacheSize())\n       idx := rand.Intn(len(failures) - 1)\n       var rmUser string\n       i := 0\n       for key := range failures {\n\n           if i == idx {\n               rmUser = key\n\n               delete(failures, key)\n\nbreak\n\n}\n\ni++ }\n\n       log.Infof(\"Deleted entry for user %s from cache\", rmUser)\n   }\n```\n\n### PoC\n1. Set up the application environment and identify the login page.\n2. Execute 4 failed login attempts for the admin account.\n3. Run a Burp Intruder attack to populate the cache with login attempts for usernames ranging from 1 to 10000.\n4. After 1000 attempts, start monitoring to see if the admin entries in the cache have been cleared.\n5. At this point, brute-force the admin account.\n\nIn just 15 minutes, the PoC was able to perform 230 brute force attempts on the admin account. This rate allows for approximately 1000 requests per hour, effectively rendering the [older CVE](https://argo-cd.readthedocs.io/en/stable/security_considerations/#cve-2020-8827-insufficient-anti-automationanti-brute-force) rate limit patches useless.\n\n### Impact\nThis is a severe vulnerability that enables attackers to perform brute force attacks at an accelerated rate, especially targeting the default admin account.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-21662.json","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-21662.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-21662","reference_id":"","reference_type":"","scores":[{"value":"0.00075","scoring_system":"epss","scoring_elements":"0.22655","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00075","scoring_system":"epss","scoring_elements":"0.22653","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00075","scoring_system":"epss","scoring_elements":"0.22703","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00075","scoring_system":"epss","scoring_elements":"0.2275","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00075","scoring_system":"epss","scoring_elements":"0.22765","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-21662"},{"reference_url":"https://argo-cd.readthedocs.io/en/stable/security_considerations/#cve-2020-8827-insufficient-anti-automationanti-brute-force","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-16T00:19:37Z/"}],"url":"https://argo-cd.readthedocs.io/en/stable/security_considerations/#cve-2020-8827-insufficient-anti-automationanti-brute-force"},{"reference_url":"https://github.com/argoproj/argo-cd","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/argoproj/argo-cd"},{"reference_url":"https://github.com/argoproj/argo-cd/commit/17b0df1168a4c535f6f37e95f25ed7cd81e1fa4d","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-16T00:19:37Z/"}],"url":"https://github.com/argoproj/argo-cd/commit/17b0df1168a4c535f6f37e95f25ed7cd81e1fa4d"},{"reference_url":"https://github.com/argoproj/argo-cd/commit/6e181d72b31522f886a2afa029d5b26d7912ec7b","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-16T00:19:37Z/"}],"url":"https://github.com/argoproj/argo-cd/commit/6e181d72b31522f886a2afa029d5b26d7912ec7b"},{"reference_url":"https://github.com/argoproj/argo-cd/commit/cebb6538f7944c87ca2fecb5d17f8baacc431456","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-16T00:19:37Z/"}],"url":"https://github.com/argoproj/argo-cd/commit/cebb6538f7944c87ca2fecb5d17f8baacc431456"},{"reference_url":"https://github.com/argoproj/argo-cd/security/advisories/GHSA-2vgg-9h6w-m454","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-16T00:19:37Z/"}],"url":"https://github.com/argoproj/argo-cd/security/advisories/GHSA-2vgg-9h6w-m454"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-21662","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-21662"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2270182","reference_id":"2270182","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2270182"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1697","reference_id":"RHSA-2024:1697","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1697"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1700","reference_id":"RHSA-2024:1700","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1700"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1752","reference_id":"RHSA-2024:1752","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1752"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1753","reference_id":"RHSA-2024:1753","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1753"}],"fixed_packages":[],"aliases":["CVE-2024-21662","GHSA-2vgg-9h6w-m454"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zdnr-5zat-5ybe"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/openshift-gitops-argocd-cli@1.12.1-4%3Farch=el9"}