Argo CD Denial-of-Service Vulnerability via Malicious Gogs Webhook Payload

A denial-of-service vulnerability has been identified in Argo CD, a GitOps continuous delivery tool for Kubernetes. This issue affects versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, and 3.0.0-rc1 through 3.2.0-rc1, as well as version 3.1.7 and 3.0.18. The vulnerability arises when the '/api/webhook' endpoint receives a Gogs push event with a null or unset 'commits[].repo' JSON field. Under default configurations, this malformed payload can crash the 'argocd-server' process, disrupting service for legitimate users.

Impact

Exploitation of this vulnerability leads to a crash of the Argo CD API server, causing a denial-of-service condition where the service becomes unavailable to legitimate clients.

Reproduction

The vulnerability can be reproduced by sending an unauthenticated request to the '/api/webhook' endpoint with a Gogs push event payload that includes an empty 'commits[].repo' field. This can be done using a curl command that specifies the 'X-Gogs-Event' header as 'push' and the 'Content-Type' as 'application/json', along with the malformed payload data.

Remediation

Users who utilize Gogs should configure a webhook secret to ensure that only trusted parties can invoke the webhook handler. For those not using Gogs, setting the webhook secret to a long, random value will effectively disable webhook handling for Gogs payloads.