CVE-2023-40584

CVSS 3.1 Score 6.5 of 10 (medium)

Details

Published Sep 7, 2023
Updated: Sep 13, 2023
CWE ID 400

Summary

CVE-2023-40584 is a vulnerability affecting all versions of Argo CD starting from v2.4. The vulnerability lies in the repo-server component, which is susceptible to a Denial-of-Service attack vector. This occurs because the component does not validate the size of inner files in a user-controlled tar.gz file, allowing a malicious, low-privileged user to exploit the vulnerability and disrupt the system's functionality and availability. Additionally, another vulnerability exists where the repo-server does not check extracted file permissions before attempting to delete them. An attacker can craft a malicious tar.gz archive that prevents deletion of its inner files, further compromising the system. A patch has been released in versions 2.6.15, 2.7.14, and 2.8.3, and users are advised to upgrade to mitigate these vulnerabilities which pose a medium risk with high availability impact according to CVE scoring.

Leverage our Vulnerability Intelligence module to secure your systems now - get detailed insights on CVE-2024-37364. Book your demo today.

Share

Explore Beyond the CVE Basics with Recorded Future's Vulnerability Intelligence

Note: This is just a basic overview providing quick insights into CVE-2023-40584 information. Gain full access to comprehensive CVE data, risk scores, prioritization, and mitigation data through Recorded Future's Vulnerability Intelligence:
  • Prioritize with Risk-Based Scoring
  • Explore the Extensive Vulnerability Database
  • Receive Early Alerts on Emerging CVEs
  • Focus on Critical Exploitable Vulnerabilities
  • Streamline Remediation with Integration Options