Vulnerabilities > CVE-2024-21652 - Improper Restriction of Excessive Authentication Attempts vulnerability in Argoproj Argo CD

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
argoproj
CWE-307
critical
NVD
Published: 2024-03-18
Updated: 2025-01-09

Summary

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a chain of vulnerabilities, including a Denial of Service (DoS) flaw and in-memory data storage weakness, to effectively bypass the application's brute force login protection. This is a critical security vulnerability that allows attackers to bypass the brute force login protection mechanism. Not only can they crash the service affecting all users, but they can also make unlimited login attempts, increasing the risk of account compromise. Versions 2.8.13, 2.9.9, and 2.10.4 contain a patch for this issue.

Vulnerable Configurations

Part Description Count
Application
Argoproj
362

Common Weakness Enumeration (CWE)

References