CVE-2024-21652

EPSS 0.07%
Veröffentlicht 18.03.2024 18:15:09
Zuletzt bearbeitet 09.01.2025 17:07:47
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a chain of vulnerabilities, including a Denial of Service (DoS) flaw and in-memory data storage weakness, to effectively bypass the application's brute force login protection. This is a critical security vulnerability that allows attackers to bypass the brute force login protection mechanism. Not only can they crash the service affecting all users, but they can also make unlimited login attempts, increasing the risk of account compromise. Versions 2.8.13, 2.9.9, and 2.10.4 contain a patch for this issue.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Argoproj ≫ Argo Cd Version < 2.8.13

Argoproj ≫ Argo Cd Version >= 2.9.0 < 2.9.9

Argoproj ≫ Argo Cd Version >= 2.10.0 < 2.10.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.07%	0.204

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-307 Improper Restriction of Excessive Authentication Attempts

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

https://github.com/argoproj/argo-cd/security/advisories/GHSA-x32m-mvfj-52xv

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-21652

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-21652

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-21652

EUVD