CVE-2022-31016 MEDIUM

CVE-2022-31016: Argo CD vulnerable to Uncontrolled Memory Consumption

Vendor Argoproj

Product argo-cd

Weakness CWE-400

Published June 25, 2022

Last update April 23, 2025

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

Argo CD is a declarative continuous deployment for Kubernetes. Argo CD versions v0.7.0 and later are vulnerable to an uncontrolled memory consumption bug, allowing an authorized malicious user to crash the repo-server service, resulting in a Denial of Service. The attacker must be an authenticated Argo CD user authorized to deploy Applications from a repository which contains (or can be made to contain) a large file. The fix for this vulnerability is available in versions 2.3.5, 2.2.10, 2.1.16, and later. There are no known workarounds. Users are recommended to upgrade.

Key dates

02Disclosure timeline

June 25, 2022 CVE published

April 23, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-31016 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/400.html

Related vulnerabilities

Identifiers

CVE CVE-2022-31016

CWE CWE-400

CVSS 6.5 / MEDIUM

Affected versions

Vendor Argoproj

Product argo-cd

Affected >= 0.7.0, < 2.1.16

Vendor Argoproj

Product argo-cd

Affected > 2.0.0, < 2.2.10

Vendor Argoproj

Product argo-cd

Affected > 2.3.0, < 2.3.5

CVE-2022-31016: Argo CD vulnerable to Uncontrolled Memory Consumption

01Description

02Disclosure timeline

03References

04Related CVE