CVE Tools
Sign in

CVE-2024-21662

Argo CD vulnerable to Bypassing of Rate Limit and Brute Force Protection Using Cache Overflow

Published: Mar 18, 2024Updated: Jan 9, 2025 Sources: CVE List NVD GHSA BDUCWE-307
NVD MITRE
7.5CVSSHIGH
EPSS Score
0.8%
Top 47.0%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can effectively bypass the rate limit and brute force protections by exploiting the application's weak cache-based mechanism. This loophole in security can be combined with other vulnerabilities to attack the default admin account. This flaw undermines a patch for CVE-2020-8827 intended to protect against brute-force attacks. The application's brute force protection relies on a cache mechanism that tracks login attempts for each user. This cache is limited to a `defaultMaxCacheSize` of 1000 entries. An attacker can overflow this cache by bombarding it with login attempts for different users, thereby pushing out the admin account's failed attempts and effectively resetting the rate limit for that account. This is a severe vulnerability that enables attackers to perform brute force attacks at an accelerated rate, especially targeting the default admin account. Users should upgrade to version 2.8.13, 2.9.9, or 2.10.4 to receive a patch.

CVSS Vector Breakdown

AV:NAC:LPR:NUI:NS:UC:NI:HA:N
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:NConfidentiality
None
I:HIntegrity
High
A:NAvailability
None
Open in CVSS calculator →

Weaknesses

CWE-307

Affected Products

argo-cdargoproj
On-premDev Tool
Cloud & SaaS / container-orchestration
github.com/argoproj/argo-cd/v2GoOSS Libraries
Argo CDThe Linux Foundation
On-premDev Tool
Cloud & SaaS / container-orchestration
argo cdargoproj
On-premDev Tool
Cloud & SaaS / container-orchestration
argoprojoss-projectCloud & SaaSaka argo cd, argo-cd, argo workflows, argo workflow
gopackage-ecosystemOSS Libraries
the linux foundationoss-projectUSCloud & SaaSaka linuxfoundation.org, linux foundation

Attack Graph

Products CVE Techniques Tactics

Click technique nodes to view MITRE ATT&CK details. Scroll to zoom, drag to pan.

Exploitability

Official Patch Available

MITRE ATT&CK

1 technique
Credential Access
View detailed technique mapping

References

https://github.com/argoproj/argo-cd/security/advisories/GHSA-2vgg-9h6w-m454
github.com
https://github.com/argoproj/argo-cd/commit/17b0df1168a4c535f6f37e95f25ed7cd81e1fa4d
github.com
https://github.com/argoproj/argo-cd/commit/6e181d72b31522f886a2afa029d5b26d7912ec7b
github.com
and 4 more references View all →

Timeline

Published
Mar 18, 2024
Last Updated
Jan 9, 2025

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2024-21662 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows