CVE-2024-21661

{"id": "CVE-2024-21661", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-03-18T19:15:06.687", "references": [{"url": "https://github.com/argoproj/argo-cd/blob/54601c8fd30b86a4c4b7eb449956264372c8bde0/util/session/sessionmanager.go#L302-L311", "tags": ["Product"], "source": "security-advisories@github.com"}, {"url": "https://github.com/argoproj/argo-cd/commit/2a22e19e06aaf6a1e734443043310a66c234e345", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/argoproj/argo-cd/commit/5bbb51ab423f273dda74ab956469843d2db2e208", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/argoproj/argo-cd/commit/ce04dc5c6f6e92033221ec6d96b74403b065ca8b", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6v85-wr92-q4p7", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/argoproj/argo-cd/blob/54601c8fd30b86a4c4b7eb449956264372c8bde0/util/session/sessionmanager.go#L302-L311", "tags": ["Product"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/argoproj/argo-cd/commit/2a22e19e06aaf6a1e734443043310a66c234e345", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/argoproj/argo-cd/commit/5bbb51ab423f273dda74ab956469843d2db2e208", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/argoproj/argo-cd/commit/ce04dc5c6f6e92033221ec6d96b74403b065ca8b", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6v85-wr92-q4p7", "tags": ["Exploit", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-787"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a critical flaw in the application to initiate a Denial of Service (DoS) attack, rendering the application inoperable and affecting all users. The issue arises from unsafe manipulation of an array in a multi-threaded environment. The vulnerability is rooted in the application's code, where an array is being modified while it is being iterated over. This is a classic programming error but becomes critically unsafe when executed in a multi-threaded environment. When two threads interact with the same array simultaneously, the application crashes. This is a Denial of Service (DoS) vulnerability. Any attacker can crash the application continuously, making it impossible for legitimate users to access the service. The issue is exacerbated because it does not require authentication, widening the pool of potential attackers. Versions 2.8.13, 2.9.9, and 2.10.4 contain a patch for this issue."}, {"lang": "es", "value": "Argo CD es una herramienta declarativa de entrega continua de GitOps para Kubernetes. Antes de las versiones 2.8.13, 2.9.9 y 2.10.4, un atacante pod\u00eda explotar una falla cr\u00edtica en la aplicaci\u00f3n para iniciar un ataque de denegaci\u00f3n de servicio (DoS), dejando la aplicaci\u00f3n inoperable y afectando a todos los usuarios. El problema surge de la manipulaci\u00f3n insegura de una matriz en un entorno de subprocesos m\u00faltiples. La vulnerabilidad tiene su origen en el c\u00f3digo de la aplicaci\u00f3n, donde se modifica una matriz mientras se itera sobre ella. Este es un error de programaci\u00f3n cl\u00e1sico, pero se vuelve cr\u00edticamente inseguro cuando se ejecuta en un entorno de subprocesos m\u00faltiples. Cuando dos subprocesos interact\u00faan con la misma matriz simult\u00e1neamente, la aplicaci\u00f3n falla. Esta es una vulnerabilidad de denegaci\u00f3n de servicio (DoS). Cualquier atacante puede bloquear la aplicaci\u00f3n continuamente, imposibilitando que los usuarios leg\u00edtimos accedan al servicio. El problema se agrava porque no requiere autenticaci\u00f3n, lo que ampl\u00eda el grupo de atacantes potenciales. Las versiones 2.8.13, 2.9.9 y 2.10.4 contienen un parche para este problema."}], "lastModified": "2025-01-09T17:09:38.313", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6312AE1F-68E1-4B95-952B-BCFA03CCC7AD", "versionEndExcluding": "2.8.13"}, {"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "89CCBDB3-E3A5-4529-9483-556AE5F93775", "versionEndExcluding": "2.9.9", "versionStartIncluding": "2.9.0"}, {"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5FD6C646-5A70-42B0-A92A-DEB525C09A64", "versionEndExcluding": "2.10.4", "versionStartIncluding": "2.10.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}