VYPR

apk package

chainguard/argo-cd-fips-2.9-compat

pkg:apk/chainguard/argo-cd-fips-2.9-compat

Vulnerabilities (17)

  • CVE-2024-41666Jul 24, 2024
    affected < 2.9.21-r0fixed 2.9.21-r0

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD has a Web-based terminal that allows users to get a shell inside a running pod, just as they would with kubectl exec. Starting in version 2.6.0, when the administrator enables this function and gran

  • CVE-2024-40634Jul 22, 2024
    affected < 2.9.21-r0fixed 2.9.21-r0

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation t

  • CVE-2024-6104Jun 24, 2024
    affected < 2.9.14-r6fixed 2.9.14-r6

    go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.

  • CVE-2024-31989May 21, 2024
    affected < 0fixed 0

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It has been discovered that an unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379. Despite having installed the latest version of the VPC CNI plugin

  • CVE-2024-24788MedMay 8, 2024
    affected < 2.9.14-r1fixed 2.9.14-r1

    A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.

  • CVE-2024-24787MedMay 8, 2024
    affected < 2.9.14-r1fixed 2.9.14-r1

    On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive.

  • CVE-2024-32476Apr 26, 2024
    affected < 2.9.13-r0fixed 2.9.13-r0

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. There is a Denial of Service (DoS) vulnerability via OOM using jq in ignoreDifferences. This vulnerability has been patched in version(s) 2.10.7, 2.9.12 and 2.8.16.

  • CVE-2024-31990Apr 15, 2024
    affected < 2.9.12-r0fixed 2.9.12-r0

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not enforce project sourceNamespaces which allows attackers to use the UI to edit resources which should only be mutable via gitops. This vulenrability is fixed in 2.10.7, 2.9.12, and 2.

  • CVE-2024-29893Mar 29, 2024
    affected < 2.9.10-r0fixed 2.9.10-r0

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, it's possible to crash the repo server componen

  • CVE-2024-21662Mar 18, 2024
    affected < 2.9.9-r0fixed 2.9.9-r0

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can effectively bypass the rate limit and brute force protections by exploiting the application's weak cache-based mechanism. This loophole in securi

  • CVE-2024-21652Mar 18, 2024
    affected < 2.9.9-r0fixed 2.9.9-r0

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a chain of vulnerabilities, including a Denial of Service (DoS) flaw and in-memory data storage weakness, to effectively bypass the appli

  • CVE-2023-50726Mar 13, 2024
    affected < 2.9.8-r0fixed 2.9.8-r0

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. "Local sync" is an Argo CD feature that allows developers to temporarily override an Application's manifests with locally-defined manifests. Use of the feature should generally be limited to highly-trusted

  • CVE-2024-28175Mar 13, 2024
    affected < 2.9.8-r0fixed 2.9.8-r0

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Due to the improper URL protocols filtering of links specified in the `link.argocd.argoproj.io` annotations in the application summary component, an attacker can achieve cross-site scripting with elevated p

  • CVE-2024-28180Mar 9, 2024
    affected < 2.9.6-r1fixed 2.9.6-r1

    Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now ret

  • CVE-2024-24786HigMar 5, 2024
    affected < 2.9.9-r0fixed 2.9.9-r0

    The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

  • CVE-2023-5528Nov 14, 2023
    affected < 2.9.9-r1fixed 2.9.9-r1

    A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes.

  • CVE-2021-25743Jan 7, 2022
    affected < 0fixed 0

    kubectl does not neutralize escape, meta or control sequences contained in the raw data it outputs to a terminal. This includes but is not limited to the unstructured string fields in objects such as Events.