CVE-2024-21652
CRITICALArgo CD < 2.8.13, 2.9.0-2.9.8, 2.10.0-2.10.3 - Unauthenticated Brute Force Login Protection Bypass via Denial of Service
Title source: llmDescription
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a chain of vulnerabilities, including a Denial of Service (DoS) flaw and in-memory data storage weakness, to effectively bypass the application's brute force login protection. This is a critical security vulnerability that allows attackers to bypass the brute force login protection mechanism. Not only can they crash the service affecting all users, but they can also make unlimited login attempts, increasing the risk of account compromise. Versions 2.8.13, 2.9.9, and 2.10.4 contain a patch for this issue.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/argoproj/argo-cd/security/advisories/GHSA-x32m-mvfj-52xv
Scores
CVSS v3
9.8
EPSS
0.0075
EPSS Percentile
50.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-307
Status
published
Products (2)
argoproj/argo-cd
0 - 2.8.13Go
argoproj/argo_cd
< 2.8.13
Published
Mar 18, 2024
Tracked Since
Feb 18, 2026