DirectorySecurity Advisories
Sign In
Security Advisories

CGA-wm43-6v9h-f648

Published

Last updated

https://images.chainguard.dev/security/CGA-wm43-6v9h-f648
Package

argo-cd-fips-2.8

Latest Update
Fixed
Fixed Version

2.8.17-r0

Aliases
  • CVE-2024-32476
  • GHSA-9m6p-x4h2-6frq

Severity

6.5

Medium

CVSS V3

Summary

Argo CD vulnerable to a Denial of Service via malicious jqPathExpressions in ignoreDifferences

Description

Impact

DoS vuln via OOM using jq in ignoreDifferences.

ignoreDifferences:
    - group: apps
       kind: Deployment
       jqPathExpressions: 
	    - 'until(true == false; [.] + [1])'

Patches

A patch for this vulnerability has been released in the following Argo CD versions:

v2.10.8 v2.9.13 v2.8.17

For more information

If you have any questions or comments about this advisory:

Open an issue in the Argo CD issue tracker or discussions Join us on Slack in channel #argo-cd

Credits This vulnerability was found & reported by @crenshaw-dev (Michael Crenshaw)

The Argo team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue

References

Updates

Safe Source for Open Sourceâ„¢
Media KitContact Us
© 2024 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Product

Chainguard Images

Why Chainguard

Container Image SecurityVulnerability RemediationCompliance and Risk MitigationSoftware Supply Chain SecurityAI/ML Security

Customers

Customer StoriesChainguard Love

Company

About UsOpen SourceCareersNewsroomLegal

Resources

Unchained BlogResearchEventsTrust CenterDocumentation