Go modules package
github.com/argoproj/argo-cd
pkg:golang/github.com/argoproj/argo-cd
Vulnerabilities (32)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-31034 | — | >= 0.11.0, < 2.1.16 | 2.1.16 | Jun 27, 2022 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v0.11.0 are vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or UI. The vulnerabilities are due to the use of insufficiently rando | ||
| CVE-2022-31016 | — | >= 0.7.0, < 2.1.16 | 2.1.16 | Jun 25, 2022 | Argo CD is a declarative continuous deployment for Kubernetes. Argo CD versions v0.7.0 and later are vulnerable to an uncontrolled memory consumption bug, allowing an authorized malicious user to crash the repo-server service, resulting in a Denial of Service. The attacker must b | ||
| CVE-2022-29165 | — | < 2.1.15 | 2.1.15 | May 20, 2022 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A critical vulnerability has been discovered in Argo CD starting with version 1.4.0 and prior to versions 2.1.15, 2.2.9, and 2.3.4 which would allow unauthenticated users to impersonate as any Argo CD user | ||
| CVE-2022-24905 | — | < 2.1.15 | 2.1.15 | May 20, 2022 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was found in Argo CD prior to versions 2.3.4, 2.2.9, and 2.1.15 that allows an attacker to spoof error messages on the login screen when single sign on (SSO) is enabled. In order to exploit | ||
| CVE-2022-24768 | — | >= 0.5.0, < 2.1.14 | 2.1.14 | Mar 23, 2022 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All unpatched versions of Argo CD starting with 1.0.0 are vulnerable to an improper access control bug, allowing a malicious user to potentially escalate their privileges to admin-level. Versions starting w | ||
| CVE-2022-24731 | — | >= 1.5.0, < 2.1.11 | 2.1.11 | Mar 23, 2022 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 1.5.0 but before versions 2.1.11, 2.2.6, and 2.3.0 is vulnerable to a path traversal vulnerability, allowing a malicious user with read/write access to leak sensitive files fro | ||
| CVE-2022-24730 | — | >= 1.3.0, < 2.1.11 | 2.1.11 | Mar 23, 2022 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 1.3.0 but before versions 2.1.11, 2.2.6, and 2.3.0 is vulnerable to a path traversal bug, compounded by an improper access control bug, allowing a malicious user with read-only | ||
| CVE-2022-24348 | — | < 2.1.9 | 2.1.9 | Feb 4, 2022 | Argo CD before 2.1.9 and 2.2.x before 2.2.4 allows directory traversal related to Helm charts because of an error in helmTemplate in repository.go. For example, an attacker may be able to discover credentials stored in a YAML file. | ||
| CVE-2018-21034 | — | < 1.5.0-rc1 | 1.5.0-rc1 | Apr 9, 2020 | In Argo versions prior to v1.5.0-rc1, it was possible for authenticated Argo users to submit API calls to retrieve secrets and other manifests which were stored within git. | ||
| CVE-2020-8828 | — | <= 1.8.0 | — | Apr 8, 2020 | As of v1.5.0, the default admin password is set to the argocd-server pod name. For insiders with access to the cluster or logs, this issue could be abused for privilege escalation, as Argo has privileged roles. A malicious insider is the most realistic threat, but pod names are n | ||
| CVE-2020-8827 | — | < 1.5.1 | 1.5.1 | Apr 8, 2020 | As of v1.5.0, the Argo API does not implement anti-automation measures such as rate limiting, account lockouts, or other anti-bruteforce measures. Attackers can submit an unlimited number of authentication attempts without consequence. | ||
| CVE-2020-11576 | — | >= 1.5.0, < 1.5.1 | 1.5.1 | Apr 8, 2020 | Fixed in v1.5.1, Argo version v1.5.0 was vulnerable to a user-enumeration vulnerability which allowed attackers to determine the usernames of valid (non-SSO) accounts because /api/v1/session returned 401 for an existing username and 404 otherwise. |
- CVE-2022-31034Jun 27, 2022affected >= 0.11.0, < 2.1.16fixed 2.1.16
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v0.11.0 are vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or UI. The vulnerabilities are due to the use of insufficiently rando
- CVE-2022-31016Jun 25, 2022affected >= 0.7.0, < 2.1.16fixed 2.1.16
Argo CD is a declarative continuous deployment for Kubernetes. Argo CD versions v0.7.0 and later are vulnerable to an uncontrolled memory consumption bug, allowing an authorized malicious user to crash the repo-server service, resulting in a Denial of Service. The attacker must b
- CVE-2022-29165May 20, 2022affected < 2.1.15fixed 2.1.15
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A critical vulnerability has been discovered in Argo CD starting with version 1.4.0 and prior to versions 2.1.15, 2.2.9, and 2.3.4 which would allow unauthenticated users to impersonate as any Argo CD user
- CVE-2022-24905May 20, 2022affected < 2.1.15fixed 2.1.15
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was found in Argo CD prior to versions 2.3.4, 2.2.9, and 2.1.15 that allows an attacker to spoof error messages on the login screen when single sign on (SSO) is enabled. In order to exploit
- CVE-2022-24768Mar 23, 2022affected >= 0.5.0, < 2.1.14fixed 2.1.14
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All unpatched versions of Argo CD starting with 1.0.0 are vulnerable to an improper access control bug, allowing a malicious user to potentially escalate their privileges to admin-level. Versions starting w
- CVE-2022-24731Mar 23, 2022affected >= 1.5.0, < 2.1.11fixed 2.1.11
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 1.5.0 but before versions 2.1.11, 2.2.6, and 2.3.0 is vulnerable to a path traversal vulnerability, allowing a malicious user with read/write access to leak sensitive files fro
- CVE-2022-24730Mar 23, 2022affected >= 1.3.0, < 2.1.11fixed 2.1.11
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 1.3.0 but before versions 2.1.11, 2.2.6, and 2.3.0 is vulnerable to a path traversal bug, compounded by an improper access control bug, allowing a malicious user with read-only
- CVE-2022-24348Feb 4, 2022affected < 2.1.9fixed 2.1.9
Argo CD before 2.1.9 and 2.2.x before 2.2.4 allows directory traversal related to Helm charts because of an error in helmTemplate in repository.go. For example, an attacker may be able to discover credentials stored in a YAML file.
- CVE-2018-21034Apr 9, 2020affected < 1.5.0-rc1fixed 1.5.0-rc1
In Argo versions prior to v1.5.0-rc1, it was possible for authenticated Argo users to submit API calls to retrieve secrets and other manifests which were stored within git.
- CVE-2020-8828Apr 8, 2020affected <= 1.8.0
As of v1.5.0, the default admin password is set to the argocd-server pod name. For insiders with access to the cluster or logs, this issue could be abused for privilege escalation, as Argo has privileged roles. A malicious insider is the most realistic threat, but pod names are n
- CVE-2020-8827Apr 8, 2020affected < 1.5.1fixed 1.5.1
As of v1.5.0, the Argo API does not implement anti-automation measures such as rate limiting, account lockouts, or other anti-bruteforce measures. Attackers can submit an unlimited number of authentication attempts without consequence.
- CVE-2020-11576Apr 8, 2020affected >= 1.5.0, < 1.5.1fixed 1.5.1
Fixed in v1.5.1, Argo version v1.5.0 was vulnerable to a user-enumeration vulnerability which allowed attackers to determine the usernames of valid (non-SSO) accounts because /api/v1/session returned 401 for an existing username and 404 otherwise.
Page 2 of 2