Listen to this Post
The vulnerability exists within the `affectedRevisionInfo` function in util/webhook/webhook.go. When a Gogs webhook push event is received at the unauthenticated `/api/webhook` endpoint, the function attempts to process the JSON payload. For a `gogsclient.PushPayload` type, the code directly accesses `payload.Repo.HTMLURL` on line 233. The `Repo` field is a pointer type. If the incoming JSON, like in the PoC, contains a `commits` array with an object that has a null or missing `repo` field, the `Repo` pointer in the parsed structure remains nil. The code does not validate that this pointer is non-nil before dereferencing it to access the `HTMLURL` sub-field. This causes a nil pointer dereference, triggering a runtime panic that crashes the entire `argocd-server` process. An attacker can repeatedly send this malicious payload to cause a sustained Denial-of-Service.
Platform: Argo CD
Version: Unpatched versions
Vulnerability : Denial-of-Service
Severity: Critical
date: 2023-08-30
Prediction: 2023-09-13
What Undercode Say:
curl -k -v https://argocd.example.com/api/webhook \ -H 'X-Gogs-Event: push' \ -H 'Content-Type: application/json' \ --data-binary @payload-gogs.json
{
"ref": "refs/heads/master",
"commits": [{}]
}
webURLs = append(webURLs, payload.Repo.HTMLURL) // panic
How Exploit:
Send unauthenticated malicious Gogs webhook.
Protection from this CVE
Set `webhook.gogs.secret`.
Disable Gogs webhooks.
Impact:
Service unavailability.
API server crash.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
