CVE-2023-40584

Summary

CVE-2023-40584 is a vulnerability affecting all versions of Argo CD starting from v2.4. The vulnerability lies in the repo-server component, which is susceptible to a Denial-of-Service attack vector. This occurs because the component does not validate the size of inner files in a user-controlled tar.gz file, allowing a malicious, low-privileged user to exploit the vulnerability and disrupt the system's functionality and availability. Additionally, another vulnerability exists where the repo-server does not check extracted file permissions before attempting to delete them. An attacker can craft a malicious tar.gz archive that prevents deletion of its inner files, further compromising the system. A patch has been released in versions 2.6.15, 2.7.14, and 2.8.3, and users are advised to upgrade to mitigate these vulnerabilities which pose a medium risk with high availability impact according to CVE scoring.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.