VYPR

Bitnami package

argo-cd

pkg:bitnami/argo-cd

Vulnerabilities (31)

  • CVE-2026-42880CriMay 7, 2026
    affected >= 3.2.0, < 3.2.11fixed 3.2.11

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to ex

  • CVE-2025-59538Oct 1, 2025
    affected >= 2.9.0, < 2.14.20fixed 2.14.20

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. For versions 2.9.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.6 and 3.0.17, when the webhook.azuredevops.username and webhook.azuredevops.password are not set in the default configuration, the /a

  • CVE-2025-59537Oct 1, 2025
    affected >= 1.2.0, < 2.14.20fixed 2.14.20

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to

  • CVE-2025-59531Oct 1, 2025
    affected >= 1.2.0, < 2.14.20fixed 2.14.20

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to

  • CVE-2025-55191Sep 30, 2025
    affected >= 2.1.0, < 2.14.20fixed 2.14.20

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions between 2.1.0 and 2.14.19, 3.2.0-rc1, 3.1.0-rc1 through 3.1.7, and 3.0.0-rc1 through 3.0.18 contain a race condition in the repository credentials handler that can cause the Argo CD server to panic

  • CVE-2025-55190Sep 4, 2025
    affected >= 2.13.0, < 2.13.9fixed 2.13.9

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with project-level permissions are able to retrieve sensitive repository credentials (

  • CVE-2025-47933May 29, 2025
    affected >= 1.2.0, < 2.13.8fixed 2.13.8

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.13.8, 2.14.13, and 3.0.4, an attacker can perform arbitrary actions on behalf of the victim via the API. Due to the improper filtering of URL protocols in the repository page, an attacke

  • CVE-2025-23216Jan 30, 2025
    affected < 2.13.4fixed 2.13.4

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. The vulnerability assumes th

  • CVE-2024-41666Jul 24, 2024
    affected >= 2.6.0, < 2.11.7fixed 2.11.7

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD has a Web-based terminal that allows users to get a shell inside a running pod, just as they would with kubectl exec. Starting in version 2.6.0, when the administrator enables this function and gran

  • CVE-2024-40634Jul 22, 2024
    affected >= 1.0.0, < 2.11.6fixed 2.11.6

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation t

  • CVE-2024-37152Jun 6, 2024
    affected >= 2.9.3, < 2.11.3fixed 2.11.3

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. This vulnerabil

  • CVE-2024-36106Jun 6, 2024
    affected >= 2.10.0, < 2.11.3fixed 2.11.3

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It’s possible for authenticated users to enumerate clusters by name by inspecting error messages. It’s also possible to enumerate the names of projects with project-scoped clusters if you know the names of

  • CVE-2024-31989May 21, 2024
    affected < 2.11.1fixed 2.11.1

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It has been discovered that an unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379. Despite having installed the latest version of the VPC CNI plugin

  • CVE-2024-32476Apr 26, 2024
    affected < 2.10.8fixed 2.10.8

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. There is a Denial of Service (DoS) vulnerability via OOM using jq in ignoreDifferences. This vulnerability has been patched in version(s) 2.10.7, 2.9.12 and 2.8.16.

  • CVE-2024-31990Apr 15, 2024
    affected >= 2.4.0, < 2.10.7fixed 2.10.7

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not enforce project sourceNamespaces which allows attackers to use the UI to edit resources which should only be mutable via gitops. This vulenrability is fixed in 2.10.7, 2.9.12, and 2.

  • CVE-2024-29893Mar 29, 2024
    affected >= 2.4.0, < 2.10.5fixed 2.10.5

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, it's possible to crash the repo server componen

  • CVE-2024-21662Mar 18, 2024
    affected < 2.10.4fixed 2.10.4

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can effectively bypass the rate limit and brute force protections by exploiting the application's weak cache-based mechanism. This loophole in securi

  • CVE-2024-21661Mar 18, 2024
    affected < 2.10.4fixed 2.10.4

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a critical flaw in the application to initiate a Denial of Service (DoS) attack, rendering the application inoperable and affecting all u

  • CVE-2024-21652Mar 18, 2024
    affected < 2.10.4fixed 2.10.4

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a chain of vulnerabilities, including a Denial of Service (DoS) flaw and in-memory data storage weakness, to effectively bypass the appli

  • CVE-2023-50726Mar 13, 2024
    affected >= 1.2.0, < 2.8.12fixed 2.8.12

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. "Local sync" is an Argo CD feature that allows developers to temporarily override an Application's manifests with locally-defined manifests. Use of the feature should generally be limited to highly-trusted

Page 1 of 2