Argo CD Bitbucket Server Webhook Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Argo CD, a GitOps continuous delivery tool for Kubernetes. This issue affects versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7, and 3.0.18. The vulnerability arises when the '/api/webhook' endpoint receives a malformed Bitbucket Server payload, specifically one where the 'repository.links.clone' field is not an array. In the default configuration, without a 'webhook.bitbucketserver.secret' set, this malformed payload causes the 'argocd-server' process to crash. This crash triggers a 'CrashLoopBackOff' state, and if all replicas are targeted, it results in a complete API outage.

Impact

Exploitation of this vulnerability causes the 'argocd-server' process to panic and crash, leading to a 'CrashLoopBackOff' state. This disruption can be amplified by targeting all replicas, causing a total outage of the API.

Reproduction

To reproduce this vulnerability, send an unauthenticated POST request to the '/api/webhook' endpoint with a Bitbucket Server push event payload that includes a non-array 'repository.links.clone' value. This payload will trigger a panic in the 'argocd-server' process, causing it to crash and restart, disrupting service.

Remediation

Users who need to handle Bitbucket Server webhook events should configure a webhook secret to ensure that only trusted parties can invoke the webhook handler. For those not using Bitbucket Server, setting the webhook secret to a long, random value can effectively disable webhook handling for Bitbucket Server payloads.