x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2024-40634

[GoVulnBot]

Advisory CVE-2024-40634 references a vulnerability in the following Go modules:

Module
github.com/argoproj/argo-cd

Description: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation that leads to service disruption by triggering an Out Of Memory (OOM) kill. The issue poses a high risk to the availability of Argo CD deployments. This vulnerability is fixed in 2.11.6, 2.10.15, and 2.9.20.

References:

• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-40634
• FIX: https://github.com/argoproj/argo-cd/commit/46c0c0b64deaab1ece70cb701030b76668ad0cdc
• FIX: https://github.com/argoproj/argo-cd/commit/540e3a57b90eb3655db54793332fac86bcc38b36
• FIX: https://github.com/argoproj/argo-cd/commit/d881ee78949e23160a0b280bb159e4d3d625a4df
• WEB: https://github.com/argoproj/argo-cd/security/advisories/GHSA-jmvp-698c-4x3w

Cross references:

• github.com/argoproj/argo-cd appears in 32 other report(s):
  • data/excluded/GO-2022-0304.yaml (https://github.com/golang/vulndb#304) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0357.yaml (https://github.com/golang/vulndb#357) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0358.yaml (https://github.com/golang/vulndb#358) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0359.yaml (https://github.com/golang/vulndb#359) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0387.yaml (https://github.com/golang/vulndb#387) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0453.yaml (https://github.com/golang/vulndb#453) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0454.yaml (https://github.com/golang/vulndb#454) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0455.yaml (https://github.com/golang/vulndb#455) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0495.yaml (https://github.com/golang/vulndb#495) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0497.yaml (https://github.com/golang/vulndb#497) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0498.yaml (https://github.com/golang/vulndb#498) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0499.yaml (https://github.com/golang/vulndb#499) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0516.yaml (https://github.com/golang/vulndb#516) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0517.yaml (https://github.com/golang/vulndb#517) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0518.yaml (https://github.com/golang/vulndb#518) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0882.yaml (https://github.com/golang/vulndb#882) NOT_IMPORTABLE
  • data/excluded/GO-2022-0892.yaml (https://github.com/golang/vulndb#892) NOT_IMPORTABLE
  • data/excluded/GO-2023-1512.yaml (https://github.com/golang/vulndb#1512) NOT_IMPORTABLE
  • data/excluded/GO-2023-1520.yaml (https://github.com/golang/vulndb#1520) NOT_IMPORTABLE
  • data/excluded/GO-2023-1577.yaml (https://github.com/golang/vulndb#1577) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1670.yaml (https://github.com/golang/vulndb#1670) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2018.yaml (https://github.com/golang/vulndb#2018) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2049.yaml (https://github.com/golang/vulndb#2049) NOT_IMPORTABLE
  • data/excluded/GO-2023-2050.yaml (https://github.com/golang/vulndb#2050) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2024-2470.yaml (https://github.com/golang/vulndb#2470) EFFECTIVELY_PRIVATE
  • data/reports/GO-2024-2643.yaml (https://github.com/golang/vulndb#2643)
  • data/reports/GO-2024-2646.yaml (https://github.com/golang/vulndb#2646)
  • data/reports/GO-2024-2728.yaml (https://github.com/golang/vulndb#2728)
  • data/reports/GO-2024-2792.yaml (https://github.com/golang/vulndb#2792)
  • data/reports/GO-2024-2877.yaml (https://github.com/golang/vulndb#2877)
  • data/reports/GO-2024-2898.yaml (https://github.com/golang/vulndb#2898)
  • data/reports/GO-2024-2902.yaml (https://github.com/golang/vulndb#2902)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/argoproj/argo-cd
      vulnerable_at: 1.8.6
summary: CVE-2024-40634 in github.com/argoproj/argo-cd
cves:
    - CVE-2024-40634
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-40634
    - fix: https://github.com/argoproj/argo-cd/commit/46c0c0b64deaab1ece70cb701030b76668ad0cdc
    - fix: https://github.com/argoproj/argo-cd/commit/540e3a57b90eb3655db54793332fac86bcc38b36
    - fix: https://github.com/argoproj/argo-cd/commit/d881ee78949e23160a0b280bb159e4d3d625a4df
    - web: https://github.com/argoproj/argo-cd/security/advisories/GHSA-jmvp-698c-4x3w
source:
    id: CVE-2024-40634
    created: 2024-07-22T19:01:14.980908272Z
review_status: UNREVIEWED

[ianthehat]

Duplicate of #3002