apk package
chainguard/argo-cd-2.9-repo-server
pkg:apk/chainguard/argo-cd-2.9-repo-server
Vulnerabilities (21)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-41666 | — | < 2.9.21-r0 | 2.9.21-r0 | Jul 24, 2024 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD has a Web-based terminal that allows users to get a shell inside a running pod, just as they would with kubectl exec. Starting in version 2.6.0, when the administrator enables this function and gran | ||
| CVE-2024-40634 | — | < 2.9.21-r0 | 2.9.21-r0 | Jul 22, 2024 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation t | ||
| CVE-2024-6104 | — | < 2.9.17-r1 | 2.9.17-r1 | Jun 24, 2024 | go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7. | ||
| CVE-2024-24789 | — | < 2.9.16-r1 | 2.9.16-r1 | Jun 5, 2024 | The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip pac | ||
| CVE-2024-24790 | — | < 2.9.16-r1 | 2.9.16-r1 | Jun 5, 2024 | The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. | ||
| CVE-2024-31989 | — | < 2.9.15-r0 | 2.9.15-r0 | May 21, 2024 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It has been discovered that an unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379. Despite having installed the latest version of the VPC CNI plugin | ||
| CVE-2024-24788 | Med | 5.9 | < 2.9.14-r1 | 2.9.14-r1 | May 8, 2024 | A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop. | |
| CVE-2024-24787 | Med | 6.4 | < 2.9.14-r1 | 2.9.14-r1 | May 8, 2024 | On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive. | |
| CVE-2024-31990 | — | < 2.9.12-r0 | 2.9.12-r0 | Apr 15, 2024 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not enforce project sourceNamespaces which allows attackers to use the UI to edit resources which should only be mutable via gitops. This vulenrability is fixed in 2.10.7, 2.9.12, and 2. | ||
| CVE-2023-45288 | Hig | 7.5 | < 2.9.12-r0 | 2.9.12-r0 | Apr 4, 2024 | An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed Ma | |
| CVE-2024-29893 | — | < 2.9.10-r0 | 2.9.10-r0 | Mar 29, 2024 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, it's possible to crash the repo server componen | ||
| CVE-2024-21662 | — | < 2.9.9-r0 | 2.9.9-r0 | Mar 18, 2024 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can effectively bypass the rate limit and brute force protections by exploiting the application's weak cache-based mechanism. This loophole in securi | ||
| CVE-2024-21652 | — | < 2.9.9-r0 | 2.9.9-r0 | Mar 18, 2024 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a chain of vulnerabilities, including a Denial of Service (DoS) flaw and in-memory data storage weakness, to effectively bypass the appli | ||
| CVE-2023-50726 | — | < 2.9.8-r0 | 2.9.8-r0 | Mar 13, 2024 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. "Local sync" is an Argo CD feature that allows developers to temporarily override an Application's manifests with locally-defined manifests. Use of the feature should generally be limited to highly-trusted | ||
| CVE-2024-28175 | — | < 2.9.8-r0 | 2.9.8-r0 | Mar 13, 2024 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Due to the improper URL protocols filtering of links specified in the `link.argocd.argoproj.io` annotations in the application summary component, an attacker can achieve cross-site scripting with elevated p | ||
| CVE-2024-28180 | — | < 2.9.7-r2 | 2.9.7-r2 | Mar 9, 2024 | Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now ret | ||
| CVE-2023-49568 | — | < 2.9.3-r5 | 2.9.3-r5 | Jan 12, 2024 | A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. A | ||
| CVE-2023-46402 | — | < 2.9.3-r1 | 2.9.3-r1 | Nov 17, 2023 | git-urls 1.0.0 allows ReDOS (Regular Expression Denial of Service) in urls.go. | ||
| CVE-2023-5528 | — | < 0 | 0 | Nov 14, 2023 | A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes. | ||
| CVE-2023-47108 | — | < 2.9.2-r1 | 2.9.2-r1 | Nov 10, 2023 | OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Starting in version 0.37.0 and prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. |
- CVE-2024-41666Jul 24, 2024affected < 2.9.21-r0fixed 2.9.21-r0
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD has a Web-based terminal that allows users to get a shell inside a running pod, just as they would with kubectl exec. Starting in version 2.6.0, when the administrator enables this function and gran
- CVE-2024-40634Jul 22, 2024affected < 2.9.21-r0fixed 2.9.21-r0
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation t
- CVE-2024-6104Jun 24, 2024affected < 2.9.17-r1fixed 2.9.17-r1
go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.
- CVE-2024-24789Jun 5, 2024affected < 2.9.16-r1fixed 2.9.16-r1
The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip pac
- CVE-2024-24790Jun 5, 2024affected < 2.9.16-r1fixed 2.9.16-r1
The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.
- CVE-2024-31989May 21, 2024affected < 2.9.15-r0fixed 2.9.15-r0
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It has been discovered that an unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379. Despite having installed the latest version of the VPC CNI plugin
- affected < 2.9.14-r1fixed 2.9.14-r1
A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.
- affected < 2.9.14-r1fixed 2.9.14-r1
On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive.
- CVE-2024-31990Apr 15, 2024affected < 2.9.12-r0fixed 2.9.12-r0
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not enforce project sourceNamespaces which allows attackers to use the UI to edit resources which should only be mutable via gitops. This vulenrability is fixed in 2.10.7, 2.9.12, and 2.
- affected < 2.9.12-r0fixed 2.9.12-r0
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed Ma
- CVE-2024-29893Mar 29, 2024affected < 2.9.10-r0fixed 2.9.10-r0
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, it's possible to crash the repo server componen
- CVE-2024-21662Mar 18, 2024affected < 2.9.9-r0fixed 2.9.9-r0
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can effectively bypass the rate limit and brute force protections by exploiting the application's weak cache-based mechanism. This loophole in securi
- CVE-2024-21652Mar 18, 2024affected < 2.9.9-r0fixed 2.9.9-r0
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a chain of vulnerabilities, including a Denial of Service (DoS) flaw and in-memory data storage weakness, to effectively bypass the appli
- CVE-2023-50726Mar 13, 2024affected < 2.9.8-r0fixed 2.9.8-r0
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. "Local sync" is an Argo CD feature that allows developers to temporarily override an Application's manifests with locally-defined manifests. Use of the feature should generally be limited to highly-trusted
- CVE-2024-28175Mar 13, 2024affected < 2.9.8-r0fixed 2.9.8-r0
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Due to the improper URL protocols filtering of links specified in the `link.argocd.argoproj.io` annotations in the application summary component, an attacker can achieve cross-site scripting with elevated p
- CVE-2024-28180Mar 9, 2024affected < 2.9.7-r2fixed 2.9.7-r2
Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now ret
- CVE-2023-49568Jan 12, 2024affected < 2.9.3-r5fixed 2.9.3-r5
A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. A
- CVE-2023-46402Nov 17, 2023affected < 2.9.3-r1fixed 2.9.3-r1
git-urls 1.0.0 allows ReDOS (Regular Expression Denial of Service) in urls.go.
- CVE-2023-5528Nov 14, 2023affected < 0fixed 0
A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes.
- CVE-2023-47108Nov 10, 2023affected < 2.9.2-r1fixed 2.9.2-r1
OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Starting in version 0.37.0 and prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality.
Page 1 of 2