CVE-2022-31016

Argo CD is a declarative continuous deployment for Kubernetes. Argo CD versions v0.7.0 and later are vulnerable to an uncontrolled memory consumption bug, allowing an authorized malicious user to crash the repo-server service, resulting in a Denial of Service. The attacker must be an authenticated Argo CD user authorized to deploy Applications from a repository which contains (or can be made to contain) a large file. The fix for this vulnerability is available in versions 2.3.5, 2.2.10, 2.1.16, and later. There are no known workarounds. Users are recommended to upgrade.

Published: Jun 25, 2022
Updated: Jul 22, 2023
CVE: CVE-2022-31016
GHSA: GHSA-jhqp-vf4w-rpwq
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS v2:

Severity: Low
Score: 4
AV:N/AC:L/Au:S/C:N/I:N/A:P

CWEs:

Affected Software
References

Software	From	Fixed in
github.com/argoproj/argo-cd	0.7.0	2.1.16
github.com/argoproj/argo-cd/v2	-	2.1.16
github.com/argoproj/argo-cd/v2	2.2.0	2.2.10
github.com/argoproj/argo-cd/v2	2.3.0	2.3.5
github.com/argoproj/argo-cd/v2	2.4.0	2.4.0.x
github.com/argoproj/argo-cd/v2	2.4.0	2.4.1
argoproj / argo_cd	0.7.0	2.1.16
argoproj / argo_cd	2.2.0	2.2.10
argoproj / argo_cd	2.3.0	2.3.5
argoproj / argo_cd	2.4.0	2.4.1

https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhqp-vf4w-rpwq

Vulnerability Database

CVE-2022-31016