Argo CD Unauthenticated Remote Denial-of-Service Vulnerability via Malformed Azure DevOps Webhook

A denial-of-service vulnerability has been identified in Argo CD, a continuous delivery tool for Kubernetes, affecting versions 2.9.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.6, and 3.0.17. The issue arises when the 'webhook.azuredevops.username' and 'webhook.azuredevops.password' are not configured. In this scenario, the '/api/webhook' endpoint crashes the 'argocd-server' process upon receiving an Azure DevOps Push event with an empty 'refUpdates' array. The lack of a length check before accessing the array's first element leads to an index-out-of-range panic, terminating the server process. This vulnerability can be exploited with a single unauthenticated HTTP POST request.

Impact

Exploitation of this vulnerability causes the 'argocd-server' process to crash, terminating the webhook handling and disrupting any ongoing operations or user interactions with the Argo CD server.

Reproduction

To reproduce this vulnerability, send an HTTP POST request to the '/api/webhook' endpoint with an Azure DevOps Push event payload that includes an empty 'refUpdates' array. Ensure that the 'webhook.azuredevops.username' and 'webhook.azuredevops.password' are not set in the default configuration. The 'argocd-server' process will crash due to an unhandled panic caused by the empty 'refUpdates' array, which violates the expected payload structure.

Remediation

Users can configure the 'webhook.azuredevops.username' and 'webhook.azuredevops.password' settings to handle Azure DevOps webhook events properly. If not using Azure DevOps, these settings can be set to long, random values to effectively disable webhook handling for Azure DevOps payloads.