VYPR

Go modules package

github.com/argoproj/argo-cd/v2

pkg:golang/github.com/argoproj/argo-cd/v2

Vulnerabilities (36)

  • CVE-2023-40584Sep 7, 2023
    affected >= 2.4.0, < 2.6.15fixed 2.6.15

    Argo CD is a declarative continuous deployment for Kubernetes. All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, the said component extracts a user-controlled tar.gz file w

  • CVE-2023-40029Sep 7, 2023
    affected >= 2.2.0, < 2.6.15fixed 2.6.15

    Argo CD is a declarative continuous deployment for Kubernetes. Argo CD Cluster secrets might be managed declaratively using Argo CD / kubectl apply. As a result, the full secret body is stored in`kubectl.kubernetes.io/last-applied-configuration` annotation. pull request #7139 int

  • CVE-2023-40025Aug 23, 2023
    affected >= 2.6.0, < 2.6.14fixed 2.6.14

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting from version 2.6.0 have a bug where open web terminal sessions do not expire. This bug allows users to send any websocket messages even if the token has already expired. The

  • CVE-2022-41354Mar 27, 2023
    affected >= 2.5.0, < 2.5.16fixed 2.5.16

    An access control issue in Argo CD v2.4.12 and below allows unauthenticated attackers to enumerate existing applications.

  • CVE-2023-25163Feb 8, 2023
    affected >= 2.6.0-rc1, < 2.6.1fixed 2.6.1

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v2.6.0-rc1 have an output sanitization bug which leaks repository access credentials in error messages. These error messages are visible to the user, and they are logge

  • CVE-2023-22736Jan 26, 2023
    affected >= 2.5.0-rc1, < 2.5.8fixed 2.5.8

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions starting with 2.5.0-rc1 and above, prior to 2.5.8, and version 2.6.0-rc4, are vulnerable to an authorization bypass bug which allows a malicious Argo CD user to deploy Applications outside the conf

  • CVE-2022-1025Jul 12, 2022
    affected < 2.1.14fixed 2.1.14

    All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to an improper access control bug, allowing a malicious user to potentially escalate their privileges to admin-level.

  • CVE-2022-31036Jun 27, 2022
    affected < 2.1.16fixed 2.1.16

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v1.3.0 are vulnerable to a symlink following bug allowing a malicious user with repository write access to leak sensitive YAML files from Argo CD's repo-server. A malic

  • CVE-2022-31035Jun 27, 2022
    affected < 2.1.16fixed 2.1.16

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a `javascript:` link in the UI. When clicked by a victim user, the script

  • CVE-2022-31034Jun 27, 2022
    affected < 2.1.16fixed 2.1.16

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v0.11.0 are vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or UI. The vulnerabilities are due to the use of insufficiently rando

  • CVE-2022-31016Jun 25, 2022
    affected < 2.1.16fixed 2.1.16

    Argo CD is a declarative continuous deployment for Kubernetes. Argo CD versions v0.7.0 and later are vulnerable to an uncontrolled memory consumption bug, allowing an authorized malicious user to crash the repo-server service, resulting in a Denial of Service. The attacker must b

  • CVE-2022-29165May 20, 2022
    affected >= 2.3.0, < 2.3.4fixed 2.3.4

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A critical vulnerability has been discovered in Argo CD starting with version 1.4.0 and prior to versions 2.1.15, 2.2.9, and 2.3.4 which would allow unauthenticated users to impersonate as any Argo CD user

  • CVE-2022-24905May 20, 2022
    affected >= 2.3.0, < 2.3.4fixed 2.3.4

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was found in Argo CD prior to versions 2.3.4, 2.2.9, and 2.1.15 that allows an attacker to spoof error messages on the login screen when single sign on (SSO) is enabled. In order to exploit

  • CVE-2022-24904May 20, 2022
    affected < 2.1.15fixed 2.1.15

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.7.0 and prior to versions 2.1.15m 2.2.9, and 2.3.4 is vulnerable to a symlink following bug allowing a malicious user with repository write access to leak sensitive files fro

  • CVE-2022-24348Feb 4, 2022
    affected < 2.1.9fixed 2.1.9

    Argo CD before 2.1.9 and 2.2.x before 2.2.4 allows directory traversal related to Helm charts because of an error in helmTemplate in repository.go. For example, an attacker may be able to discover credentials stored in a YAML file.

  • CVE-2021-23347Mar 3, 2021
    affected < 1.7.13fixed 1.7.13

    The package github.com/argoproj/argo-cd/cmd before 1.7.13, from 1.8.0 and before 1.8.6 are vulnerable to Cross-site Scripting (XSS) the SSO provider connected to Argo CD would have to send back a malicious error message containing JavaScript to the user.

Page 2 of 2