github.com/argoproj/argo-cd/v2-v2.8.9: 23 vulnerabilities (highest severity is: 9.8) #463
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
mend-bolt-for-github
bot
added
the
Mend: dependency security vulnerability
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Declarative Continuous Deployment for Kubernetes
Library home page: https://proxy.golang.org/github.com/argoproj/argo-cd/v2/@v/v2.8.9.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/argoproj/argo-cd/v2/@v/v2.8.9.mod
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - github.com/argoproj/argo-cd/v2-v2.8.9
Declarative Continuous Deployment for Kubernetes
Library home page: https://proxy.golang.org/github.com/argoproj/argo-cd/v2/@v/v2.8.9.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/argoproj/argo-cd/v2/@v/v2.8.9.mod
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a chain of vulnerabilities, including a Denial of Service (DoS) flaw and in-memory data storage weakness, to effectively bypass the application's brute force login protection. This is a critical security vulnerability that allows attackers to bypass the brute force login protection mechanism. Not only can they crash the service affecting all users, but they can also make unlimited login attempts, increasing the risk of account compromise. Versions 2.8.13, 2.9.9, and 2.10.4 contain a patch for this issue.
Publish Date: 2024-03-18
URL: CVE-2024-21652
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-21652
Release Date: 2024-03-18
Fix Resolution: v2.8.13,v2.9.9,v2.10.4
Step up your Open Source Security Game with Mend here
Vulnerable Library - github.com/argoproj/argo-cd/v2-v2.8.9
Declarative Continuous Deployment for Kubernetes
Library home page: https://proxy.golang.org/github.com/argoproj/argo-cd/v2/@v/v2.8.9.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/argoproj/argo-cd/v2/@v/v2.8.9.mod
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It has been discovered that an unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379. Despite having installed the latest version of the VPC CNI plugin on the EKS cluster, it requires manual enablement through configuration to enforce network policies. This raises concerns that many clients might unknowingly have open access to their Redis servers. This vulnerability could lead to Privilege Escalation to the level of cluster controller, or to information leakage, affecting anyone who does not have strict access controls on their Redis instance. This issue has been patched in version(s) 2.8.19, 2.9.15 and 2.10.10.
Publish Date: 2024-05-21
URL: CVE-2024-31989
CVSS 3 Score Details (9.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-31989
Release Date: 2024-05-21
Fix Resolution: argoproj/argo-cd-v2.8.19,v2.9.15,v2.10.10,v2.11.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - github.com/argoproj/argo-cd/v2-v2.8.9
Declarative Continuous Deployment for Kubernetes
Library home page: https://proxy.golang.org/github.com/argoproj/argo-cd/v2/@v/v2.8.9.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/argoproj/argo-cd/v2/@v/v2.8.9.mod
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Due to the improper URL protocols filtering of links specified in the
link.argocd.argoproj.ioannotations in the application summary component, an attacker can achieve cross-site scripting with elevated permissions. All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will execute with the victim's permissions (up to and including admin). This vulnerability allows an attacker to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, and deleting Kubernetes resources. A patch for this vulnerability has been released in Argo CD versions v2.10.3 v2.9.8, and v2.8.12. There are no completely-safe workarounds besides upgrading. The safest alternative, if upgrading is not possible, would be to create a Kubernetes admission controller to reject any resources with an annotation starting with link.argocd.argoproj.io or reject the resource if the value use an improper URL protocol. This validation will need to be applied in all clusters managed by ArgoCD.Publish Date: 2024-03-13
URL: CVE-2024-28175
CVSS 3 Score Details (9.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-jwv5-8mqv-g387
Release Date: 2024-03-13
Fix Resolution: v2.8.12,v2.9.8,v2.10.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - k8s.io/KUBERNETES-v1.24.2
Library home page: https://proxy.golang.org/k8s.io/!k!u!b!e!r!n!e!t!e!s/@v/v1.24.2.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/k8s.io/kubernetes/@v/v1.24.2.mod
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
A security vulnerability was discovered in Kubernetes that could allow a
user with the ability to create a pod and associate a gitRepo volume to
execute arbitrary commands beyond the container boundary. This
vulnerability leverages the hooks folder in the target repository to run
arbitrary commands outside of the container's boundary.
Publish Date: 2024-11-22
URL: CVE-2024-10220
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://seclists.org/oss-sec/2024/q4/109
Release Date: 2024-11-19
Fix Resolution: github.com/kubernetes/kubernetes-v1.28.12,v1.29.7,v1.30.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - k8s.io/KUBERNETES-v1.24.2
Library home page: https://proxy.golang.org/k8s.io/!k!u!b!e!r!n!e!t!e!s/@v/v1.24.2.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/k8s.io/kubernetes/@v/v1.24.2.mod
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
A flaw was found in kube-controller-manager. This issue occurs when the initial application of a HPA config YAML lacking a .spec.behavior.scaleUp block causes a denial of service due to KCM pods going into restart churn.
Publish Date: 2024-11-17
URL: CVE-2024-0793
CVSS 3 Score Details (7.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2024-11-17
Fix Resolution: github.com/openshift/kubernetes-8f8514080eaed5bdcbaa67a02d7314440aac5ec4
Step up your Open Source Security Game with Mend here
Vulnerable Library - github.com/argoproj/argo-cd/v2-v2.8.9
Declarative Continuous Deployment for Kubernetes
Library home page: https://proxy.golang.org/github.com/argoproj/argo-cd/v2/@v/v2.8.9.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/argoproj/argo-cd/v2/@v/v2.8.9.mod
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation that leads to service disruption by triggering an Out Of Memory (OOM) kill. The issue poses a high risk to the availability of Argo CD deployments. This vulnerability is fixed in 2.11.6, 2.10.15, and 2.9.20.
Publish Date: 2024-07-22
URL: CVE-2024-40634
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-40634
Release Date: 2024-07-22
Fix Resolution: github.com/argoproj/argo-cd-v2.9.20,v2.10.15,v2.11.6
Step up your Open Source Security Game with Mend here
Vulnerable Library - github.com/argoproj/argo-cd/v2-v2.8.9
Declarative Continuous Deployment for Kubernetes
Library home page: https://proxy.golang.org/github.com/argoproj/argo-cd/v2/@v/v2.8.9.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/argoproj/argo-cd/v2/@v/v2.8.9.mod
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can effectively bypass the rate limit and brute force protections by exploiting the application's weak cache-based mechanism. This loophole in security can be combined with other vulnerabilities to attack the default admin account. This flaw undermines a patch for CVE-2020-8827 intended to protect against brute-force attacks. The application's brute force protection relies on a cache mechanism that tracks login attempts for each user. This cache is limited to a
defaultMaxCacheSizeof 1000 entries. An attacker can overflow this cache by bombarding it with login attempts for different users, thereby pushing out the admin account's failed attempts and effectively resetting the rate limit for that account. This is a severe vulnerability that enables attackers to perform brute force attacks at an accelerated rate, especially targeting the default admin account. Users should upgrade to version 2.8.13, 2.9.9, or 2.10.4 to receive a patch.Publish Date: 2024-03-18
URL: CVE-2024-21662
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-2vgg-9h6w-m454
Release Date: 2024-03-18
Fix Resolution: v2.8.13,v2.9.9,v2.10.4
Step up your Open Source Security Game with Mend here
Vulnerable Library - github.com/argoproj/argo-cd/v2-v2.8.9
Declarative Continuous Deployment for Kubernetes
Library home page: https://proxy.golang.org/github.com/argoproj/argo-cd/v2/@v/v2.8.9.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/argoproj/argo-cd/v2/@v/v2.8.9.mod
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a critical flaw in the application to initiate a Denial of Service (DoS) attack, rendering the application inoperable and affecting all users. The issue arises from unsafe manipulation of an array in a multi-threaded environment. The vulnerability is rooted in the application's code, where an array is being modified while it is being iterated over. This is a classic programming error but becomes critically unsafe when executed in a multi-threaded environment. When two threads interact with the same array simultaneously, the application crashes. This is a Denial of Service (DoS) vulnerability. Any attacker can crash the application continuously, making it impossible for legitimate users to access the service. The issue is exacerbated because it does not require authentication, widening the pool of potential attackers. Versions 2.8.13, 2.9.9, and 2.10.4 contain a patch for this issue.
Publish Date: 2024-03-18
URL: CVE-2024-21661
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-6v85-wr92-q4p7
Release Date: 2024-03-18
Fix Resolution: v2.8.13,v2.9.9,v2.10.4
Step up your Open Source Security Game with Mend here
Vulnerable Library - golang.org/x/net-v0.21.0
Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.21.0.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/golang.org/x/net/@v/v0.21.0.mod
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
Publish Date: 2024-04-04
URL: CVE-2023-45288
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2023-10-06
Fix Resolution: golang/net - v0.23.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - k8s.io/apiserver-v0.24.2
Library for writing a Kubernetes-style API server.
Library home page: https://proxy.golang.org/k8s.io/apiserver/@v/v0.24.2.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/k8s.io/apiserver/@v/v0.24.2.mod
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Publish Date: 2023-10-10
URL: CVE-2023-44487
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-44487
Release Date: 2023-10-10
Fix Resolution: org.eclipse.jetty.http2:http2-server:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-server:12.0.2, org.eclipse.jetty.http2:http2-common:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-common:12.0.2, nghttp - v1.57.0, swift-nio-http2 - 1.28.0, io.netty:netty-codec-http2:4.1.100.Final, trafficserver - 9.2.3, org.apache.tomcat:tomcat-coyote:8.5.94,9.0.81,10.1.14, org.apache.tomcat.embed:tomcat-embed-core:8.5.94,9.0.81,10.1.14, Microsoft.AspNetCore.App - 6.0.23,7.0.12, contour - v1.26.1, proxygen - v2023.10.16.00, grpc-go - v1.56.3,v1.57.1,v1.58.3, kubernetes/kubernetes - v1.25.15,v1.26.10,v1.27.7,v1.28.3,v1.29.0, kubernetes/apimachinery - v0.25.15,v0.26.10,v0.27.7,v0.28.3,v0.29.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - golang.org/x/crypto-v0.20.0
Library home page: https://proxy.golang.org/golang.org/x/crypto/@v/v0.20.0.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/golang.org/x/crypto/@v/v0.20.0.mod
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.
Publish Date: 2024-12-11
URL: CVE-2024-45337
CVSS 3 Score Details (7.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-v778-237x-gjrc
Release Date: 2024-12-11
Fix Resolution: golang.org/x/crypto-v0.31.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - github.com/argoproj/argo-cd/v2-v2.8.9
Declarative Continuous Deployment for Kubernetes
Library home page: https://proxy.golang.org/github.com/argoproj/argo-cd/v2/@v/v2.8.9.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/argoproj/argo-cd/v2/@v/v2.8.9.mod
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. There is a Denial of Service (DoS) vulnerability via OOM using jq in ignoreDifferences. This vulnerability has been patched in version(s) 2.10.7, 2.9.12 and 2.8.16.
Publish Date: 2024-04-26
URL: CVE-2024-32476
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-9m6p-x4h2-6frq
Release Date: 2024-04-26
Fix Resolution: v2.8.17,v2.9.13,v2.10.8
Step up your Open Source Security Game with Mend here
Vulnerable Library - github.com/argoproj/argo-cd/v2-v2.8.9
Declarative Continuous Deployment for Kubernetes
Library home page: https://proxy.golang.org/github.com/argoproj/argo-cd/v2/@v/v2.8.9.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/argoproj/argo-cd/v2/@v/v2.8.9.mod
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, it's possible to crash the repo server component through an out of memory error by pointing it to a malicious Helm registry. The loadRepoIndex() function in the ArgoCD's helm package, does not limit the size nor time while fetching the data. It fetches it and creates a byte slice from the retrieved data in one go. If the registry is implemented to push data continuously, the repo server will keep allocating memory until it runs out of it. A patch for this vulnerability has been released in v2.10.3, v2.9.8, and v2.8.12.
Publish Date: 2024-03-29
URL: CVE-2024-29893
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-jhwx-mhww-rgc3
Release Date: 2024-03-29
Fix Resolution: v2.8.14,v2.9.10,v2.10.5
Step up your Open Source Security Game with Mend here
Vulnerable Library - github.com/argoproj/argo-cd/v2-v2.8.9
Declarative Continuous Deployment for Kubernetes
Library home page: https://proxy.golang.org/github.com/argoproj/argo-cd/v2/@v/v2.8.9.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/argoproj/argo-cd/v2/@v/v2.8.9.mod
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. "Local sync" is an Argo CD feature that allows developers to temporarily override an Application's manifests with locally-defined manifests. Use of the feature should generally be limited to highly-trusted users, since it allows the user to bypass any merge protections in git. An improper validation bug allows users who have
createprivileges but notoverrideprivileges to sync local manifests on app creation. All other restrictions, including AppProject restrictions are still enforced. The only restriction which is not enforced is that the manifests come from some approved git/Helm/OCI source. The bug was introduced in 1.2.0-rc1 when the local manifest sync feature was added. The bug has been patched in Argo CD versions 2.10.3, 2.9.8, and 2.8.12. Users are advised to upgrade. Users unable to upgrade may mitigate the risk of branch protection bypass by removingapplications, createRBAC access. The only way to eliminate the issue without removing RBAC access is to upgrade to a patched version.Publish Date: 2024-03-13
URL: CVE-2023-50726
CVSS 3 Score Details (6.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-g623-jcgg-mhmm
Release Date: 2024-03-13
Fix Resolution: v2.8.12,v2.9.8,v2.10.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - github.com/hashiCorp/go-retryablehttp-v0.7.5
Library home page: https://proxy.golang.org/github.com/hashi!corp/go-retryablehttp/@v/v0.7.5.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/hashicorp/go-retryablehttp/@v/v0.7.5.mod
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.
Publish Date: 2024-06-24
URL: CVE-2024-6104
CVSS 3 Score Details (6.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-6104
Release Date: 2024-06-24
Fix Resolution: github.com/hashicorp/go-retryablehttp-v0.7.7
Step up your Open Source Security Game with Mend here
Vulnerable Library - k8s.io/KUBERNETES-v1.24.2
Library home page: https://proxy.golang.org/k8s.io/!k!u!b!e!r!n!e!t!e!s/@v/v1.24.2.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/k8s.io/kubernetes/@v/v1.24.2.mod
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
A security vulnerability has been discovered in Kubernetes windows nodes that could allow a user with the ability to query a node's '/logs' endpoint to execute arbitrary commands on the host. This issue affects kubelet through v1.29.12, v1.30.0 to v1.30.8, v1.31.0 to v1.31.4 and v1.32.0.
Publish Date: 2025-01-18
URL: CVE-2024-9042
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://seclists.org/oss-sec/2025/q1/23
Release Date: 2025-01-18
Fix Resolution: github.com/kubernetes/kubernetes-v1.29.13,v1.30.9,v1.31.5,v1.32.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - golang.org/x/net-v0.21.0
Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.21.0.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/golang.org/x/net/@v/v0.21.0.mod
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
Publish Date: 2024-12-18
URL: CVE-2024-45338
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2024-12-18
Fix Resolution: github.com/golang/net-v0.33.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - github.com/argoproj/argo-cd/v2-v2.8.9
Declarative Continuous Deployment for Kubernetes
Library home page: https://proxy.golang.org/github.com/argoproj/argo-cd/v2/@v/v2.8.9.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/argoproj/argo-cd/v2/@v/v2.8.9.mod
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17.
Publish Date: 2024-06-06
URL: CVE-2024-37152
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-87p9-x75h-p4j2
Release Date: 2024-06-06
Fix Resolution: argo-cd/server-v2.9.17,v2.10.12,v2.11.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - github.com/argoproj/argo-cd/v2-v2.8.9
Declarative Continuous Deployment for Kubernetes
Library home page: https://proxy.golang.org/github.com/argoproj/argo-cd/v2/@v/v2.8.9.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/argoproj/argo-cd/v2/@v/v2.8.9.mod
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not enforce project sourceNamespaces which allows attackers to use the UI to edit resources which should only be mutable via gitops. This vulenrability is fixed in 2.10.7, 2.9.12, and 2.8.16.
Publish Date: 2024-04-15
URL: CVE-2024-31990
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-2gvw-w6fj-7m3c
Release Date: 2024-04-15
Fix Resolution: v2.8.16,v2.9.12,v2.10.7
Step up your Open Source Security Game with Mend here
Vulnerable Library - github.com/argoproj/argo-cd/v2-v2.8.9
Declarative Continuous Deployment for Kubernetes
Library home page: https://proxy.golang.org/github.com/argoproj/argo-cd/v2/@v/v2.8.9.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/argoproj/argo-cd/v2/@v/v2.8.9.mod
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD has a Web-based terminal that allows users to get a shell inside a running pod, just as they would with kubectl exec. Starting in version 2.6.0, when the administrator enables this function and grants permission to the user
p, role:myrole, exec, create, */*, allow, even if the user revokes this permission, the user can still perform operations in the container, as long as the user keeps the terminal view open for a long time. Although the token expiration and revocation of the user are fixed, however, the fix does not address the situation of revocation of only userp, role:myrole, exec, create, */*, allowpermissions, which may still lead to the leakage of sensitive information. A patch for this vulnerability has been released in Argo CD versions 2.11.7, 2.10.16, and 2.9.21.Publish Date: 2024-07-24
URL: CVE-2024-41666
CVSS 3 Score Details (4.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-v8wx-v5jq-qhhw
Release Date: 2024-07-24
Fix Resolution: github.com/argoproj/argo-cd-v2.9.21,v2.10.16,v2.11.7
Step up your Open Source Security Game with Mend here
Vulnerable Library - github.com/argoproj/argo-cd/v2-v2.8.9
Declarative Continuous Deployment for Kubernetes
Library home page: https://proxy.golang.org/github.com/argoproj/argo-cd/v2/@v/v2.8.9.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/argoproj/argo-cd/v2/@v/v2.8.9.mod
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It’s possible for authenticated users to enumerate clusters by name by inspecting error messages. It’s also possible to enumerate the names of projects with project-scoped clusters if you know the names of the clusters. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17.
Publish Date: 2024-06-06
URL: CVE-2024-36106
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-3cqf-953p-h5cp
Release Date: 2024-06-06
Fix Resolution: github.com/argoproj/argo-cd-v2.9.17,v2.10.12,v2.11.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - github.com/go-jose/go-jose/v3-v3.0.2
An implementation of JOSE standards (JWE, JWS, JWT) in Go
Library home page: https://proxy.golang.org/github.com/go-jose/go-jose/v3/@v/v3.0.2.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/go-jose/go-jose/v3/@v/v3.0.2.mod
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.
Publish Date: 2024-03-09
URL: CVE-2024-28180
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-28180
Release Date: 2024-03-09
Fix Resolution: v2.6.3,v3.0.3,v4.0.1
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: