CVE-2022-31016

MEDIUM

Argo CD 0.7.0-2.1.15 - Authenticated Denial of Service via Large File Processing

Title source: llm

Description

Argo CD is a declarative continuous deployment for Kubernetes. Argo CD versions v0.7.0 and later are vulnerable to an uncontrolled memory consumption bug, allowing an authorized malicious user to crash the repo-server service, resulting in a Denial of Service. The attacker must be an authenticated Argo CD user authorized to deploy Applications from a repository which contains (or can be made to contain) a large file. The fix for this vulnerability is available in versions 2.3.5, 2.2.10, 2.1.16, and later. There are no known workarounds. Users are recommended to upgrade.

References (1)

Core 1

Core References

Patch, Third Party Advisory x_refsource_confirm

https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhqp-vf4w-rpwq

Scores

CVSS v3 6.5

EPSS 0.0083

EPSS Percentile 52.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-400 CWE-770

Status published

Products (3)

argoproj/argo-cd 0 - 2.1.16Go

argoproj/argo-cd 0.7.0 - 2.1.16Go

argoproj/argo_cd 0.7.0 - 2.1.16

Published Jun 25, 2022

Tracked Since Feb 18, 2026