CVE-2024-32476

MEDIUM6.5EPSS 0.42%

Argo CD vulnerable to a Denial of Service via malicious jqPathExpressions in ignoreDifferences

Published: 4/26/2024Modified: 2/4/2026

Description

### Impact DoS vuln via OOM using jq in ignoreDifferences. ``` ignoreDifferences: - group: apps kind: Deployment jqPathExpressions: - 'until(true == false; [.] + [1])' ``` ### Patches A patch for this vulnerability has been released in the following Argo CD versions: v2.10.8 v2.9.13 v2.8.17 ### For more information If you have any questions or comments about this advisory: Open an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://github.com/argoproj/argo-cd/discussions) Join us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd Credits This vulnerability was found & reported by @crenshaw-dev (Michael Crenshaw) The Argo team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue

Affected packages (4)

Bitnami/argo-cdfrom 0, < 2.10.8
Go/github.com/argoproj/argo-cdfrom 0
Go/github.com/argoproj/argo-cd/v2>= 2.10.0, < 2.10.8
Go/github.com/argoproj/argo-cd/v2from 0, < 2.8.17, >= 2.9.0, < 2.9.13, >= 2.10.0, < 2.10.8

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Description

Affected packages (4)

CVSS scores

References (6)