From 1bddee2e5dfff35613847eef9a2c0e6818976dc3 Mon Sep 17 00:00:00 2001 From: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> Date: Tue, 26 Mar 2024 17:44:00 +0100 Subject: [PATCH 01/14] fix(cmp): pass env to plugin discovery (#13947) Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> Co-authored-by: Blake Pettersson Co-authored-by: Jann Fischer --- reposerver/repository/repository.go | 25 ++++++++++++++++++------ reposerver/repository/repository_test.go | 6 +++--- util/app/discovery/discovery.go | 8 ++++---- util/app/discovery/discovery_test.go | 14 ++++++------- 4 files changed, 33 insertions(+), 20 deletions(-) diff --git a/reposerver/repository/repository.go b/reposerver/repository/repository.go index 898c4c635fd48..6e22f1c297366 100644 --- a/reposerver/repository/repository.go +++ b/reposerver/repository/repository.go @@ -222,7 +222,7 @@ func (s *Service) ListApps(ctx context.Context, q *apiclient.ListAppsRequest) (* } defer io.Close(closer) - apps, err := discovery.Discover(ctx, gitClient.Root(), gitClient.Root(), q.EnabledSourceTypes, s.initConstants.CMPTarExcludedGlobs) + apps, err := discovery.Discover(ctx, gitClient.Root(), gitClient.Root(), q.EnabledSourceTypes, s.initConstants.CMPTarExcludedGlobs, []string{}) if err != nil { return nil, fmt.Errorf("error discovering applications: %w", err) } @@ -1373,7 +1373,9 @@ func GenerateManifests(ctx context.Context, appPath, repoRoot, revision string, resourceTracking := argo.NewResourceTracking() - appSourceType, err := GetAppSourceType(ctx, q.ApplicationSource, appPath, repoRoot, q.AppName, q.EnabledSourceTypes, opt.cmpTarExcludedGlobs) + env := newEnv(q, revision) + + appSourceType, err := GetAppSourceType(ctx, q.ApplicationSource, appPath, repoRoot, q.AppName, q.EnabledSourceTypes, opt.cmpTarExcludedGlobs, env.Environ()) if err != nil { return nil, fmt.Errorf("error getting app source type: %w", err) } @@ -1381,7 +1383,6 @@ func GenerateManifests(ctx context.Context, appPath, repoRoot, revision string, if q.Repo != nil { repoURL = q.Repo.Repo } - env := newEnv(q, revision) switch appSourceType { case v1alpha1.ApplicationSourceTypeHelm: @@ -1477,6 +1478,16 @@ func newEnv(q *apiclient.ManifestRequest, revision string) *v1alpha1.Env { } } +func newEnvRepoQuery(q *apiclient.RepoServerAppDetailsQuery, revision string) *v1alpha1.Env { + return &v1alpha1.Env{ + &v1alpha1.EnvEntry{Name: "ARGOCD_APP_NAME", Value: q.AppName}, + &v1alpha1.EnvEntry{Name: "ARGOCD_APP_REVISION", Value: revision}, + &v1alpha1.EnvEntry{Name: "ARGOCD_APP_SOURCE_REPO_URL", Value: q.Repo.Repo}, + &v1alpha1.EnvEntry{Name: "ARGOCD_APP_SOURCE_PATH", Value: q.Source.Path}, + &v1alpha1.EnvEntry{Name: "ARGOCD_APP_SOURCE_TARGET_REVISION", Value: q.Source.TargetRevision}, + } +} + // mergeSourceParameters merges parameter overrides from one or more files in // the Git repo into the given ApplicationSource objects. // @@ -1536,7 +1547,7 @@ func mergeSourceParameters(source *v1alpha1.ApplicationSource, path, appName str } // GetAppSourceType returns explicit application source type or examines a directory and determines its application source type -func GetAppSourceType(ctx context.Context, source *v1alpha1.ApplicationSource, appPath, repoPath, appName string, enableGenerateManifests map[string]bool, tarExcludedGlobs []string) (v1alpha1.ApplicationSourceType, error) { +func GetAppSourceType(ctx context.Context, source *v1alpha1.ApplicationSource, appPath, repoPath, appName string, enableGenerateManifests map[string]bool, tarExcludedGlobs []string, env []string) (v1alpha1.ApplicationSourceType, error) { err := mergeSourceParameters(source, appPath, appName) if err != nil { return "", fmt.Errorf("error while parsing source parameters: %v", err) @@ -1553,7 +1564,7 @@ func GetAppSourceType(ctx context.Context, source *v1alpha1.ApplicationSource, a } return *appSourceType, nil } - appType, err := discovery.AppType(ctx, appPath, repoPath, enableGenerateManifests, tarExcludedGlobs) + appType, err := discovery.AppType(ctx, appPath, repoPath, enableGenerateManifests, tarExcludedGlobs, env) if err != nil { return "", fmt.Errorf("error getting app source type: %v", err) } @@ -1965,7 +1976,9 @@ func (s *Service) GetAppDetails(ctx context.Context, q *apiclient.RepoServerAppD return err } - appSourceType, err := GetAppSourceType(ctx, q.Source, opContext.appPath, repoRoot, q.AppName, q.EnabledSourceTypes, s.initConstants.CMPTarExcludedGlobs) + env := newEnvRepoQuery(q, revision) + + appSourceType, err := GetAppSourceType(ctx, q.Source, opContext.appPath, repoRoot, q.AppName, q.EnabledSourceTypes, s.initConstants.CMPTarExcludedGlobs, env.Environ()) if err != nil { return err } diff --git a/reposerver/repository/repository_test.go b/reposerver/repository/repository_test.go index 99dd88ccdd028..ea1aa2294adc3 100644 --- a/reposerver/repository/repository_test.go +++ b/reposerver/repository/repository_test.go @@ -1454,15 +1454,15 @@ func TestGenerateNullList(t *testing.T) { } func TestIdentifyAppSourceTypeByAppDirWithKustomizations(t *testing.T) { - sourceType, err := GetAppSourceType(context.Background(), &argoappv1.ApplicationSource{}, "./testdata/kustomization_yaml", "./testdata", "testapp", map[string]bool{}, []string{}) + sourceType, err := GetAppSourceType(context.Background(), &argoappv1.ApplicationSource{}, "./testdata/kustomization_yaml", "./testdata", "testapp", map[string]bool{}, []string{}, []string{}) assert.Nil(t, err) assert.Equal(t, argoappv1.ApplicationSourceTypeKustomize, sourceType) - sourceType, err = GetAppSourceType(context.Background(), &argoappv1.ApplicationSource{}, "./testdata/kustomization_yml", "./testdata", "testapp", map[string]bool{}, []string{}) + sourceType, err = GetAppSourceType(context.Background(), &argoappv1.ApplicationSource{}, "./testdata/kustomization_yml", "./testdata", "testapp", map[string]bool{}, []string{}, []string{}) assert.Nil(t, err) assert.Equal(t, argoappv1.ApplicationSourceTypeKustomize, sourceType) - sourceType, err = GetAppSourceType(context.Background(), &argoappv1.ApplicationSource{}, "./testdata/Kustomization", "./testdata", "testapp", map[string]bool{}, []string{}) + sourceType, err = GetAppSourceType(context.Background(), &argoappv1.ApplicationSource{}, "./testdata/Kustomization", "./testdata", "testapp", map[string]bool{}, []string{}, []string{}) assert.Nil(t, err) assert.Equal(t, argoappv1.ApplicationSourceTypeKustomize, sourceType) } diff --git a/util/app/discovery/discovery.go b/util/app/discovery/discovery.go index 21fbe5fd4bf36..b46a86ff426e3 100644 --- a/util/app/discovery/discovery.go +++ b/util/app/discovery/discovery.go @@ -31,11 +31,11 @@ func IsManifestGenerationEnabled(sourceType v1alpha1.ApplicationSourceType, enab return enabled } -func Discover(ctx context.Context, appPath, repoPath string, enableGenerateManifests map[string]bool, tarExcludedGlobs []string) (map[string]string, error) { +func Discover(ctx context.Context, appPath, repoPath string, enableGenerateManifests map[string]bool, tarExcludedGlobs []string, env []string) (map[string]string, error) { apps := make(map[string]string) // Check if it is CMP - conn, _, err := DetectConfigManagementPlugin(ctx, appPath, repoPath, "", []string{}, tarExcludedGlobs) + conn, _, err := DetectConfigManagementPlugin(ctx, appPath, repoPath, "", env, tarExcludedGlobs) if err == nil { // Found CMP io.Close(conn) @@ -67,8 +67,8 @@ func Discover(ctx context.Context, appPath, repoPath string, enableGenerateManif return apps, err } -func AppType(ctx context.Context, appPath, repoPath string, enableGenerateManifests map[string]bool, tarExcludedGlobs []string) (string, error) { - apps, err := Discover(ctx, appPath, repoPath, enableGenerateManifests, tarExcludedGlobs) +func AppType(ctx context.Context, appPath, repoPath string, enableGenerateManifests map[string]bool, tarExcludedGlobs []string, env []string) (string, error) { + apps, err := Discover(ctx, appPath, repoPath, enableGenerateManifests, tarExcludedGlobs, env) if err != nil { return "", err } diff --git a/util/app/discovery/discovery_test.go b/util/app/discovery/discovery_test.go index 54eb30aff4fd1..771a1942eb467 100644 --- a/util/app/discovery/discovery_test.go +++ b/util/app/discovery/discovery_test.go @@ -10,7 +10,7 @@ import ( ) func TestDiscover(t *testing.T) { - apps, err := Discover(context.Background(), "./testdata", "./testdata", map[string]bool{}, []string{}) + apps, err := Discover(context.Background(), "./testdata", "./testdata", map[string]bool{}, []string{}, []string{}) assert.NoError(t, err) assert.Equal(t, map[string]string{ "foo": "Kustomize", @@ -19,15 +19,15 @@ func TestDiscover(t *testing.T) { } func TestAppType(t *testing.T) { - appType, err := AppType(context.Background(), "./testdata/foo", "./testdata", map[string]bool{}, []string{}) + appType, err := AppType(context.Background(), "./testdata/foo", "./testdata", map[string]bool{}, []string{}, []string{}) assert.NoError(t, err) assert.Equal(t, "Kustomize", appType) - appType, err = AppType(context.Background(), "./testdata/baz", "./testdata", map[string]bool{}, []string{}) + appType, err = AppType(context.Background(), "./testdata/baz", "./testdata", map[string]bool{}, []string{}, []string{}) assert.NoError(t, err) assert.Equal(t, "Helm", appType) - appType, err = AppType(context.Background(), "./testdata", "./testdata", map[string]bool{}, []string{}) + appType, err = AppType(context.Background(), "./testdata", "./testdata", map[string]bool{}, []string{}, []string{}) assert.NoError(t, err) assert.Equal(t, "Directory", appType) } @@ -37,15 +37,15 @@ func TestAppType_Disabled(t *testing.T) { string(v1alpha1.ApplicationSourceTypeKustomize): false, string(v1alpha1.ApplicationSourceTypeHelm): false, } - appType, err := AppType(context.Background(), "./testdata/foo", "./testdata", enableManifestGeneration, []string{}) + appType, err := AppType(context.Background(), "./testdata/foo", "./testdata", enableManifestGeneration, []string{}, []string{}) assert.NoError(t, err) assert.Equal(t, "Directory", appType) - appType, err = AppType(context.Background(), "./testdata/baz", "./testdata", enableManifestGeneration, []string{}) + appType, err = AppType(context.Background(), "./testdata/baz", "./testdata", enableManifestGeneration, []string{}, []string{}) assert.NoError(t, err) assert.Equal(t, "Directory", appType) - appType, err = AppType(context.Background(), "./testdata", "./testdata", enableManifestGeneration, []string{}) + appType, err = AppType(context.Background(), "./testdata", "./testdata", enableManifestGeneration, []string{}, []string{}) assert.NoError(t, err) assert.Equal(t, "Directory", appType) } From ad372cf716a57478b59bef0650104a2cde09e56a Mon Sep 17 00:00:00 2001 From: danqixu <156804971+danqixu@users.noreply.github.com> Date: Wed, 27 Mar 2024 08:22:21 -0500 Subject: [PATCH 02/14] wrap error for SyncKeyRingFromDirectory (#17633) Signed-off-by: danqixu --- util/gpg/gpg.go | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/util/gpg/gpg.go b/util/gpg/gpg.go index 681c22d310e23..cdc6bd4c4fee5 100644 --- a/util/gpg/gpg.go +++ b/util/gpg/gpg.go @@ -718,14 +718,14 @@ func SyncKeyRingFromDirectory(basePath string) ([]string, []string, error) { return nil }) if err != nil { - return nil, nil, err + return nil, nil, fmt.Errorf("error walk path: %w", err) } // Collect GPG keys installed in the key ring installed := make(map[string]*appsv1.GnuPGPublicKey) keys, err := GetInstalledPGPKeys(nil) if err != nil { - return nil, nil, err + return nil, nil, fmt.Errorf("error get installed PGP keys: %w", err) } for _, v := range keys { installed[v.KeyID] = v @@ -736,16 +736,16 @@ func SyncKeyRingFromDirectory(basePath string) ([]string, []string, error) { if _, ok := installed[key]; !ok { addedKey, err := ImportPGPKeys(path.Join(basePath, key)) if err != nil { - return nil, nil, err + return nil, nil, fmt.Errorf("error import PGP keys: %w", err) } if len(addedKey) != 1 { - return nil, nil, fmt.Errorf("Invalid key found in %s", path.Join(basePath, key)) + return nil, nil, fmt.Errorf("invalid key found in %s", path.Join(basePath, key)) } importedKey, err := GetInstalledPGPKeys([]string{addedKey[0].KeyID}) if err != nil { - return nil, nil, err + return nil, nil, fmt.Errorf("error get installed PGP keys: %w", err) } else if len(importedKey) != 1 { - return nil, nil, fmt.Errorf("Could not get details of imported key ID %s", importedKey) + return nil, nil, fmt.Errorf("could not get details of imported key ID %s", importedKey) } newKeys = append(newKeys, key) fingerprints = append(fingerprints, importedKey[0].Fingerprint) @@ -756,12 +756,12 @@ func SyncKeyRingFromDirectory(basePath string) ([]string, []string, error) { for key := range installed { secret, err := IsSecretKey(key) if err != nil { - return nil, nil, err + return nil, nil, fmt.Errorf("error check secret key: %w", err) } if _, ok := configured[key]; !ok && !secret { err := DeletePGPKey(key) if err != nil { - return nil, nil, err + return nil, nil, fmt.Errorf("error delete PGP keys: %w", err) } removedKeys = append(removedKeys, key) } @@ -772,5 +772,5 @@ func SyncKeyRingFromDirectory(basePath string) ([]string, []string, error) { _ = SetPGPTrustLevelById(fingerprints, TrustUltimate) } - return newKeys, removedKeys, err + return newKeys, removedKeys, nil } From 442dac12a7d49cc4e120882f4a8283089120b4df Mon Sep 17 00:00:00 2001 From: treble-snake Date: Wed, 27 Mar 2024 16:39:58 +0200 Subject: [PATCH 03/14] docs(user-guide): fix a typo (#17642) Signed-off-by: treble-snake --- docs/user-guide/sync-options.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/user-guide/sync-options.md b/docs/user-guide/sync-options.md index 985f9fcf3c974..a563821967d04 100644 --- a/docs/user-guide/sync-options.md +++ b/docs/user-guide/sync-options.md @@ -1,6 +1,6 @@ # Sync Options -Argo CD allows users to customize some aspects of how it syncs the desired state in the target cluster. Some Sync Options can defined as annotations in a specific resource. Most of the Sync Options are configured in the Application resource `spec.syncPolicy.syncOptions` attribute. Multiple Sync Options which are configured with the `argocd.argoproj.io/sync-options` annotation can be concatenated with a `,` in the annotation value; white spaces will be trimmed. +Argo CD allows users to customize some aspects of how it syncs the desired state in the target cluster. Some Sync Options can be defined as annotations in a specific resource. Most of the Sync Options are configured in the Application resource `spec.syncPolicy.syncOptions` attribute. Multiple Sync Options which are configured with the `argocd.argoproj.io/sync-options` annotation can be concatenated with a `,` in the annotation value; white spaces will be trimmed. Below you can find details about each available Sync Option: From e9547bce4231fcf4e0dd680b11b61c59f7081918 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 27 Mar 2024 18:16:25 +0000 Subject: [PATCH 04/14] [Bot] docs: Update Snyk reports (#17601) Signed-off-by: CI Co-authored-by: CI --- docs/snyk/index.md | 40 +- docs/snyk/master/argocd-iac-install.html | 80 +- .../master/argocd-iac-namespace-install.html | 2 +- docs/snyk/master/argocd-test.html | 2 +- .../master/ghcr.io_dexidp_dex_v2.38.0.html | 14 +- docs/snyk/master/haproxy_2.6.14-alpine.html | 14 +- .../quay.io_argoproj_argocd_latest.html | 804 ++++++--- docs/snyk/master/redis_7.0.14-alpine.html | 14 +- docs/snyk/v2.7.17/argocd-iac-install.html | 2 +- .../v2.7.17/argocd-iac-namespace-install.html | 2 +- docs/snyk/v2.7.17/argocd-test.html | 2 +- .../v2.7.17/ghcr.io_dexidp_dex_v2.37.0.html | 14 +- docs/snyk/v2.7.17/haproxy_2.6.14-alpine.html | 14 +- .../quay.io_argoproj_argocd_v2.7.17.html | 1151 ++++++++++--- docs/snyk/v2.7.17/redis_7.0.14-alpine.html | 14 +- .../argocd-iac-install.html | 2 +- .../argocd-iac-namespace-install.html | 2 +- .../{v2.8.11 => v2.8.13}/argocd-test.html | 2 +- .../ghcr.io_dexidp_dex_v2.37.0.html | 14 +- .../haproxy_2.6.14-alpine.html | 14 +- .../quay.io_argoproj_argocd_v2.8.13.html} | 1464 ++++++++++++----- .../redis_7.0.11-alpine.html | 14 +- .../argocd-iac-install.html | 2 +- .../argocd-iac-namespace-install.html | 2 +- docs/snyk/{v2.9.7 => v2.9.9}/argocd-test.html | 2 +- .../ghcr.io_dexidp_dex_v2.37.0.html | 14 +- .../haproxy_2.6.14-alpine.html | 14 +- .../quay.io_argoproj_argocd_v2.9.9.html} | 1234 ++++++++------ .../redis_7.0.11-alpine.html | 14 +- 29 files changed, 3386 insertions(+), 1577 deletions(-) rename docs/snyk/{v2.8.11 => v2.8.13}/argocd-iac-install.html (99%) rename docs/snyk/{v2.8.11 => v2.8.13}/argocd-iac-namespace-install.html (99%) rename docs/snyk/{v2.8.11 => v2.8.13}/argocd-test.html (99%) rename docs/snyk/{v2.9.7 => v2.8.13}/ghcr.io_dexidp_dex_v2.37.0.html (99%) rename docs/snyk/{v2.9.7 => v2.8.13}/haproxy_2.6.14-alpine.html (98%) rename docs/snyk/{v2.9.7/quay.io_argoproj_argocd_v2.9.7.html => v2.8.13/quay.io_argoproj_argocd_v2.8.13.html} (79%) rename docs/snyk/{v2.8.11 => v2.8.13}/redis_7.0.11-alpine.html (99%) rename docs/snyk/{v2.9.7 => v2.9.9}/argocd-iac-install.html (99%) rename docs/snyk/{v2.9.7 => v2.9.9}/argocd-iac-namespace-install.html (99%) rename docs/snyk/{v2.9.7 => v2.9.9}/argocd-test.html (99%) rename docs/snyk/{v2.8.11 => v2.9.9}/ghcr.io_dexidp_dex_v2.37.0.html (99%) rename docs/snyk/{v2.8.11 => v2.9.9}/haproxy_2.6.14-alpine.html (98%) rename docs/snyk/{v2.8.11/quay.io_argoproj_argocd_v2.8.11.html => v2.9.9/quay.io_argoproj_argocd_v2.9.9.html} (85%) rename docs/snyk/{v2.9.7 => v2.9.9}/redis_7.0.11-alpine.html (99%) diff --git a/docs/snyk/index.md b/docs/snyk/index.md index f64361856ff55..5f26934a1b4b4 100644 --- a/docs/snyk/index.md +++ b/docs/snyk/index.md @@ -17,36 +17,36 @@ recent minor releases. | [ui/yarn.lock](master/argocd-test.html) | 0 | 0 | 0 | 0 | | [dex:v2.38.0](master/ghcr.io_dexidp_dex_v2.38.0.html) | 0 | 0 | 2 | 1 | | [haproxy:2.6.14-alpine](master/haproxy_2.6.14-alpine.html) | 0 | 1 | 3 | 1 | -| [argocd:latest](master/quay.io_argoproj_argocd_latest.html) | 0 | 0 | 6 | 15 | +| [argocd:latest](master/quay.io_argoproj_argocd_latest.html) | 0 | 0 | 8 | 14 | | [redis:7.0.14-alpine](master/redis_7.0.14-alpine.html) | 0 | 0 | 2 | 1 | | [install.yaml](master/argocd-iac-install.html) | - | - | - | - | | [namespace-install.yaml](master/argocd-iac-namespace-install.html) | - | - | - | - | -### v2.9.7 +### v2.9.9 | | Critical | High | Medium | Low | |---:|:--------:|:----:|:------:|:---:| -| [go.mod](v2.9.7/argocd-test.html) | 0 | 1 | 11 | 0 | -| [ui/yarn.lock](v2.9.7/argocd-test.html) | 0 | 0 | 0 | 0 | -| [dex:v2.37.0](v2.9.7/ghcr.io_dexidp_dex_v2.37.0.html) | 1 | 1 | 6 | 1 | -| [haproxy:2.6.14-alpine](v2.9.7/haproxy_2.6.14-alpine.html) | 0 | 1 | 3 | 1 | -| [argocd:v2.9.7](v2.9.7/quay.io_argoproj_argocd_v2.9.7.html) | 0 | 0 | 6 | 15 | -| [redis:7.0.11-alpine](v2.9.7/redis_7.0.11-alpine.html) | 1 | 1 | 6 | 1 | -| [install.yaml](v2.9.7/argocd-iac-install.html) | - | - | - | - | -| [namespace-install.yaml](v2.9.7/argocd-iac-namespace-install.html) | - | - | - | - | +| [go.mod](v2.9.9/argocd-test.html) | 0 | 1 | 11 | 0 | +| [ui/yarn.lock](v2.9.9/argocd-test.html) | 0 | 0 | 0 | 0 | +| [dex:v2.37.0](v2.9.9/ghcr.io_dexidp_dex_v2.37.0.html) | 1 | 1 | 6 | 1 | +| [haproxy:2.6.14-alpine](v2.9.9/haproxy_2.6.14-alpine.html) | 0 | 1 | 3 | 1 | +| [argocd:v2.9.9](v2.9.9/quay.io_argoproj_argocd_v2.9.9.html) | 0 | 0 | 9 | 14 | +| [redis:7.0.11-alpine](v2.9.9/redis_7.0.11-alpine.html) | 1 | 1 | 6 | 1 | +| [install.yaml](v2.9.9/argocd-iac-install.html) | - | - | - | - | +| [namespace-install.yaml](v2.9.9/argocd-iac-namespace-install.html) | - | - | - | - | -### v2.8.11 +### v2.8.13 | | Critical | High | Medium | Low | |---:|:--------:|:----:|:------:|:---:| -| [go.mod](v2.8.11/argocd-test.html) | 0 | 1 | 11 | 0 | -| [ui/yarn.lock](v2.8.11/argocd-test.html) | 0 | 0 | 0 | 0 | -| [dex:v2.37.0](v2.8.11/ghcr.io_dexidp_dex_v2.37.0.html) | 1 | 1 | 6 | 1 | -| [haproxy:2.6.14-alpine](v2.8.11/haproxy_2.6.14-alpine.html) | 0 | 1 | 3 | 1 | -| [argocd:v2.8.11](v2.8.11/quay.io_argoproj_argocd_v2.8.11.html) | 0 | 0 | 6 | 15 | -| [redis:7.0.11-alpine](v2.8.11/redis_7.0.11-alpine.html) | 1 | 1 | 6 | 1 | -| [install.yaml](v2.8.11/argocd-iac-install.html) | - | - | - | - | -| [namespace-install.yaml](v2.8.11/argocd-iac-namespace-install.html) | - | - | - | - | +| [go.mod](v2.8.13/argocd-test.html) | 0 | 1 | 11 | 0 | +| [ui/yarn.lock](v2.8.13/argocd-test.html) | 0 | 0 | 0 | 0 | +| [dex:v2.37.0](v2.8.13/ghcr.io_dexidp_dex_v2.37.0.html) | 1 | 1 | 6 | 1 | +| [haproxy:2.6.14-alpine](v2.8.13/haproxy_2.6.14-alpine.html) | 0 | 1 | 3 | 1 | +| [argocd:v2.8.13](v2.8.13/quay.io_argoproj_argocd_v2.8.13.html) | 0 | 0 | 9 | 14 | +| [redis:7.0.11-alpine](v2.8.13/redis_7.0.11-alpine.html) | 1 | 1 | 6 | 1 | +| [install.yaml](v2.8.13/argocd-iac-install.html) | - | - | - | - | +| [namespace-install.yaml](v2.8.13/argocd-iac-namespace-install.html) | - | - | - | - | ### v2.7.17 @@ -56,7 +56,7 @@ recent minor releases. | [ui/yarn.lock](v2.7.17/argocd-test.html) | 0 | 1 | 0 | 0 | | [dex:v2.37.0](v2.7.17/ghcr.io_dexidp_dex_v2.37.0.html) | 1 | 1 | 6 | 1 | | [haproxy:2.6.14-alpine](v2.7.17/haproxy_2.6.14-alpine.html) | 0 | 1 | 3 | 1 | -| [argocd:v2.7.17](v2.7.17/quay.io_argoproj_argocd_v2.7.17.html) | 0 | 0 | 6 | 20 | +| [argocd:v2.7.17](v2.7.17/quay.io_argoproj_argocd_v2.7.17.html) | 0 | 0 | 12 | 19 | | [redis:7.0.14-alpine](v2.7.17/redis_7.0.14-alpine.html) | 0 | 0 | 2 | 1 | | [install.yaml](v2.7.17/argocd-iac-install.html) | - | - | - | - | | [namespace-install.yaml](v2.7.17/argocd-iac-namespace-install.html) | - | - | - | - | diff --git a/docs/snyk/master/argocd-iac-install.html b/docs/snyk/master/argocd-iac-install.html index 85d30a5a2f261..c063a06f7dae8 100644 --- a/docs/snyk/master/argocd-iac-install.html +++ b/docs/snyk/master/argocd-iac-install.html @@ -456,7 +456,7 @@

Snyk test report

-

March 10th 2024, 12:17:06 am (UTC+00:00)

+

March 24th 2024, 12:17:17 am (UTC+00:00)

Scanned the following path: @@ -507,7 +507,7 @@

Role or ClusterRole with dangerous permissions

  • - Line number: 21041 + Line number: 21035
    • @@ -553,7 +553,7 @@

    Role or ClusterRole with dangerous permissions

  • - Line number: 20750 + Line number: 20744
    • @@ -599,7 +599,7 @@

    Role or ClusterRole with dangerous permissions

  • - Line number: 20835 + Line number: 20829
    • @@ -645,7 +645,7 @@

    Role or ClusterRole with dangerous permissions

  • - Line number: 20863 + Line number: 20857
    • @@ -691,7 +691,7 @@

    Role or ClusterRole with dangerous permissions

  • - Line number: 20893 + Line number: 20887
    • @@ -737,7 +737,7 @@

    Role or ClusterRole with dangerous permissions

  • - Line number: 20911 + Line number: 20905
    • @@ -783,7 +783,7 @@

    Role or ClusterRole with dangerous permissions

  • - Line number: 20927 + Line number: 20921
    • @@ -835,7 +835,7 @@

    Container could be running with outdated image

  • - Line number: 22209 + Line number: 22203
    • @@ -893,7 +893,7 @@

    Container has no CPU limit

  • - Line number: 21518 + Line number: 21512
    • @@ -951,7 +951,7 @@

    Container has no CPU limit

  • - Line number: 21769 + Line number: 21763
    • @@ -1009,7 +1009,7 @@

    Container has no CPU limit

  • - Line number: 21735 + Line number: 21729
    • @@ -1067,7 +1067,7 @@

    Container has no CPU limit

  • - Line number: 21829 + Line number: 21823
    • @@ -1125,7 +1125,7 @@

    Container has no CPU limit

  • - Line number: 21928 + Line number: 21922
    • @@ -1183,7 +1183,7 @@

    Container has no CPU limit

  • - Line number: 22209 + Line number: 22203
    • @@ -1241,7 +1241,7 @@

    Container has no CPU limit

  • - Line number: 21985 + Line number: 21979
    • @@ -1299,7 +1299,7 @@

    Container has no CPU limit

  • - Line number: 22294 + Line number: 22288
    • @@ -1357,7 +1357,7 @@

    Container has no CPU limit

  • - Line number: 22640 + Line number: 22634
    • @@ -1409,7 +1409,7 @@

    Container is running with multiple open ports

  • - Line number: 21749 + Line number: 21743
    • @@ -1461,7 +1461,7 @@

    Container is running without liveness probe

  • - Line number: 21518 + Line number: 21512
    • @@ -1513,7 +1513,7 @@

    Container is running without liveness probe

  • - Line number: 21735 + Line number: 21729
    • @@ -1565,7 +1565,7 @@

    Container is running without liveness probe

  • - Line number: 21928 + Line number: 21922
    • @@ -1623,7 +1623,7 @@

    Container is running without memory limit

  • - Line number: 21518 + Line number: 21512
    • @@ -1681,7 +1681,7 @@

    Container is running without memory limit

  • - Line number: 21735 + Line number: 21729
    • @@ -1739,7 +1739,7 @@

    Container is running without memory limit

  • - Line number: 21769 + Line number: 21763
    • @@ -1797,7 +1797,7 @@

    Container is running without memory limit

  • - Line number: 21829 + Line number: 21823
    • @@ -1855,7 +1855,7 @@

    Container is running without memory limit

  • - Line number: 21928 + Line number: 21922
    • @@ -1913,7 +1913,7 @@

    Container is running without memory limit

  • - Line number: 22209 + Line number: 22203
    • @@ -1971,7 +1971,7 @@

    Container is running without memory limit

  • - Line number: 21985 + Line number: 21979
    • @@ -2029,7 +2029,7 @@

    Container is running without memory limit

  • - Line number: 22294 + Line number: 22288
    • @@ -2087,7 +2087,7 @@

    Container is running without memory limit

  • - Line number: 22640 + Line number: 22634
    • @@ -2143,7 +2143,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 21659 + Line number: 21653
    • @@ -2199,7 +2199,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 21777 + Line number: 21771
    • @@ -2255,7 +2255,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 21752 + Line number: 21746
    • @@ -2311,7 +2311,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 21862 + Line number: 21856
    • @@ -2367,7 +2367,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 21938 + Line number: 21932
    • @@ -2423,7 +2423,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 22216 + Line number: 22210
    • @@ -2479,7 +2479,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 22182 + Line number: 22176
    • @@ -2535,7 +2535,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 22550 + Line number: 22544
    • @@ -2591,7 +2591,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 22830 + Line number: 22824
    • diff --git a/docs/snyk/master/argocd-iac-namespace-install.html b/docs/snyk/master/argocd-iac-namespace-install.html index 3d719fb1189e5..1795ba67af3c6 100644 --- a/docs/snyk/master/argocd-iac-namespace-install.html +++ b/docs/snyk/master/argocd-iac-namespace-install.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    March 10th 2024, 12:17:15 am (UTC+00:00)

    +

    March 24th 2024, 12:17:26 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/master/argocd-test.html b/docs/snyk/master/argocd-test.html index 476d5e993ebd6..b745cf7cbd119 100644 --- a/docs/snyk/master/argocd-test.html +++ b/docs/snyk/master/argocd-test.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    March 10th 2024, 12:15:07 am (UTC+00:00)

    +

    March 24th 2024, 12:15:25 am (UTC+00:00)

    Scanned the following paths: diff --git a/docs/snyk/master/ghcr.io_dexidp_dex_v2.38.0.html b/docs/snyk/master/ghcr.io_dexidp_dex_v2.38.0.html index f3b07e31116c8..7d85ddf3861f8 100644 --- a/docs/snyk/master/ghcr.io_dexidp_dex_v2.38.0.html +++ b/docs/snyk/master/ghcr.io_dexidp_dex_v2.38.0.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    March 10th 2024, 12:15:16 am (UTC+00:00)

    +

    March 24th 2024, 12:15:32 am (UTC+00:00)

    Scanned the following paths: @@ -627,12 +627,12 @@

    Remediation

    Upgrade Alpine:3.19 openssl to version 3.1.4-r3 or higher.

    References

    diff --git a/docs/snyk/master/haproxy_2.6.14-alpine.html b/docs/snyk/master/haproxy_2.6.14-alpine.html index cdcba9cb220dd..106ec7c2cc72f 100644 --- a/docs/snyk/master/haproxy_2.6.14-alpine.html +++ b/docs/snyk/master/haproxy_2.6.14-alpine.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    March 10th 2024, 12:15:23 am (UTC+00:00)

    +

    March 24th 2024, 12:15:37 am (UTC+00:00)

    Scanned the following path: @@ -1030,12 +1030,12 @@

    Remediation

    Upgrade Alpine:3.18 openssl to version 3.1.4-r3 or higher.

    References

    diff --git a/docs/snyk/master/quay.io_argoproj_argocd_latest.html b/docs/snyk/master/quay.io_argoproj_argocd_latest.html index 74ebafa9a0e5a..045db290b0fbb 100644 --- a/docs/snyk/master/quay.io_argoproj_argocd_latest.html +++ b/docs/snyk/master/quay.io_argoproj_argocd_latest.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -456,7 +456,7 @@

    Snyk test report

    -

    March 10th 2024, 12:15:42 am (UTC+00:00)

    +

    March 24th 2024, 12:15:54 am (UTC+00:00)

    Scanned the following paths: @@ -470,8 +470,8 @@

    Snyk test report

    -
    31 known vulnerabilities
    -
    153 vulnerable dependency paths
    +
    32 known vulnerabilities
    +
    175 vulnerable dependency paths
    2276 dependencies
    @@ -539,14 +539,14 @@

    Remediation

    There is no fixed version for Ubuntu:22.04 xz-utils.

    References

    @@ -615,14 +615,14 @@

    Remediation

    There is no fixed version for Ubuntu:22.04 openssh.

    References

    @@ -631,6 +631,218 @@

    References

    More about this vulnerability

    +
    +
    +

    Information Exposure

    +
    + +
    + medium severity +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:latest/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:22.04 +
      • +
    • + Vulnerable module: + + libgcrypt20 +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@latest and libgcrypt20@1.9.4-3ubuntu3 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + libgcrypt20@1.9.4-3ubuntu3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + gnupg2/dirmngr@2.2.27-3ubuntu2.1 + + libgcrypt20@1.9.4-3ubuntu3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + gnupg2/gpg@2.2.27-3ubuntu2.1 + + libgcrypt20@1.9.4-3ubuntu3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + apt@2.4.11 + + apt/libapt-pkg6.0@2.4.11 + + libgcrypt20@1.9.4-3ubuntu3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + apt@2.4.11 + + gnupg2/gpgv@2.2.27-3ubuntu2.1 + + libgcrypt20@1.9.4-3ubuntu3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + gnupg2/gpg@2.2.27-3ubuntu2.1 + + gnupg2/gpgconf@2.2.27-3ubuntu2.1 + + libgcrypt20@1.9.4-3ubuntu3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gnupg-utils@2.2.27-3ubuntu2.1 + + libgcrypt20@1.9.4-3ubuntu3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + + libgcrypt20@1.9.4-3ubuntu3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gpg-wks-client@2.2.27-3ubuntu2.1 + + libgcrypt20@1.9.4-3ubuntu3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gpg-wks-server@2.2.27-3ubuntu2.1 + + libgcrypt20@1.9.4-3ubuntu3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gpgsm@2.2.27-3ubuntu2.1 + + libgcrypt20@1.9.4-3ubuntu3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + apt@2.4.11 + + apt/libapt-pkg6.0@2.4.11 + + systemd/libsystemd0@249.11-0ubuntu3.12 + + libgcrypt20@1.9.4-3ubuntu3 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream libgcrypt20 package and not the libgcrypt20 package as distributed by Ubuntu. + See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    +

    A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:22.04 libgcrypt20.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    +

    CVE-2024-26461

    @@ -841,8 +1053,8 @@

    Remediation

    There is no fixed version for Ubuntu:22.04 krb5.

    References

    @@ -1061,8 +1273,8 @@

    Remediation

    There is no fixed version for Ubuntu:22.04 krb5.

    References

    @@ -1281,8 +1493,8 @@

    Remediation

    There is no fixed version for Ubuntu:22.04 krb5.

    References

    @@ -1456,14 +1668,218 @@

    Stack-based Buffer Overflow

    -

    Detailed paths

    +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v2@* + + google.golang.org/protobuf/encoding/protojson@v1.31.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Stack-based Buffer Overflow when processing input that uses pathologically deep nesting.

    +

    Remediation

    +

    Upgrade google.golang.org/protobuf/encoding/protojson to version 1.32.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Infinite loop

    +
    + +
    + medium severity +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:latest/argoproj/argo-cd/v2 /usr/local/bin/argocd +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + google.golang.org/protobuf/encoding/protojson +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/encoding/protojson@v1.31.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v2@* + + google.golang.org/protobuf/encoding/protojson@v1.31.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Infinite loop via the protojson.Unmarshal function. An attacker can cause a denial of service condition by unmarshaling certain forms of invalid JSON.

    +

    Note:

    +

    This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

    +

    Remediation

    +

    Upgrade google.golang.org/protobuf/encoding/protojson to version 1.33.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Information Exposure

    +
    + +
    + medium severity +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:latest/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:22.04 +
      • +
    • + Vulnerable module: + + gnutls28/libgnutls30 +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@latest and gnutls28/libgnutls30@3.7.3-4ubuntu1.4 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + gnutls28/libgnutls30@3.7.3-4ubuntu1.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + apt@2.4.11 + + gnutls28/libgnutls30@3.7.3-4ubuntu1.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + gnupg2/dirmngr@2.2.27-3ubuntu2.1 + + gnutls28/libgnutls30@3.7.3-4ubuntu1.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + git@1:2.34.1-1ubuntu1.10 + + curl/libcurl3-gnutls@7.81.0-1ubuntu1.15 + + gnutls28/libgnutls30@3.7.3-4ubuntu1.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + git@1:2.34.1-1ubuntu1.10 + + curl/libcurl3-gnutls@7.81.0-1ubuntu1.15 + + openldap/libldap-2.5-0@2.5.17+dfsg-0ubuntu0.22.04.1 + + gnutls28/libgnutls30@3.7.3-4ubuntu1.4 + + -
    -

    Infinite loop

    +

    Uncaught Exception

    @@ -1503,20 +1924,20 @@

    Infinite loop

    • - Manifest file: quay.io/argoproj/argocd:latest/argoproj/argo-cd/v2 /usr/local/bin/argocd + Manifest file: quay.io/argoproj/argocd:latest/argoproj/argocd Dockerfile
    • - Package Manager: golang + Package Manager: ubuntu:22.04
    • Vulnerable module: - google.golang.org/protobuf/encoding/protojson + gnutls28/libgnutls30
    • Introduced through: - github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/encoding/protojson@v1.31.0 + docker-image|quay.io/argoproj/argocd@latest and gnutls28/libgnutls30@3.7.3-4ubuntu1.4
    @@ -1529,9 +1950,74 @@

    Detailed paths

    • Introduced through: - github.com/argoproj/argo-cd/v2@* + docker-image|quay.io/argoproj/argocd@latest - google.golang.org/protobuf/encoding/protojson@v1.31.0 + gnutls28/libgnutls30@3.7.3-4ubuntu1.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + apt@2.4.11 + + gnutls28/libgnutls30@3.7.3-4ubuntu1.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + gnupg2/dirmngr@2.2.27-3ubuntu2.1 + + gnutls28/libgnutls30@3.7.3-4ubuntu1.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + git@1:2.34.1-1ubuntu1.10 + + curl/libcurl3-gnutls@7.81.0-1ubuntu1.15 + + gnutls28/libgnutls30@3.7.3-4ubuntu1.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + git@1:2.34.1-1ubuntu1.10 + + curl/libcurl3-gnutls@7.81.0-1ubuntu1.15 + + openldap/libldap-2.5-0@2.5.17+dfsg-0ubuntu0.22.04.1 + + gnutls28/libgnutls30@3.7.3-4ubuntu1.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + git@1:2.34.1-1ubuntu1.10 + + curl/libcurl3-gnutls@7.81.0-1ubuntu1.15 + + rtmpdump/librtmp1@2.4+20151223.gitfa8646d.1-2build4 + + gnutls28/libgnutls30@3.7.3-4ubuntu1.4 @@ -1542,23 +2028,24 @@

      Detailed paths

      -

      Overview

      -

      Affected versions of this package are vulnerable to Infinite loop via the protojson.Unmarshal function. An attacker can cause a denial of service condition by unmarshaling certain forms of invalid JSON.

      -

      Note:

      -

      This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

      +

      NVD Description

      +

      Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Ubuntu. + See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

      +

      A flaw has been discovered in GnuTLS where an application crash can be induced when attempting to verify a specially crafted .pem bundle using the "certtool --verify-chain" command.

      Remediation

      -

      Upgrade google.golang.org/protobuf/encoding/protojson to version 1.33.0 or higher.

      +

      There is no fixed version for Ubuntu:22.04 gnutls28.

      References

      -

      More about this vulnerability

      +

      More about this vulnerability

    @@ -1921,80 +2408,6 @@

    Detailed paths

    More about this vulnerability

    -
    -
    -

    Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:latest/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:22.04 -
      • -
    • - Vulnerable module: - - expat/libexpat1 -
      • - -
    • Introduced through: - - - docker-image|quay.io/argoproj/argocd@latest, git@1:2.34.1-1ubuntu1.10 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - git@1:2.34.1-1ubuntu1.10 - - expat/libexpat1@2.4.7-1ubuntu0.2 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 expat.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    -

    CVE-2023-7008

    @@ -2156,13 +2569,13 @@

    Remediation

    There is no fixed version for Ubuntu:22.04 systemd.

    References

    @@ -2262,11 +2675,11 @@

    Remediation

    There is no fixed version for Ubuntu:22.04 shadow.

    References

    @@ -2423,8 +2836,8 @@

    Remediation

    There is no fixed version for Ubuntu:22.04 patch.

    References

    @@ -2558,7 +2971,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@latest - bash@5.1-6ubuntu1 + bash@5.1-6ubuntu1.1 ncurses/libtinfo6@6.3-2ubuntu0.1 @@ -2759,11 +3172,11 @@

    Remediation

    There is no fixed version for Ubuntu:22.04 ncurses.

    References

    @@ -2822,7 +3235,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@latest - bash@5.1-6ubuntu1 + bash@5.1-6ubuntu1.1 ncurses/libtinfo6@6.3-2ubuntu0.1 @@ -3023,8 +3436,9 @@

    Remediation

    There is no fixed version for Ubuntu:22.04 ncurses.

    References

    @@ -3320,12 +3734,12 @@

    Remediation

    There is no fixed version for Ubuntu:22.04 krb5.

    References

    @@ -3989,11 +4403,11 @@

    Remediation

    There is no fixed version for Ubuntu:22.04 gcc-12.

    References

    @@ -4077,76 +4491,6 @@

    References

    -
    -

    Out-of-bounds Write

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:latest/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:22.04 -
      • -
    • - Vulnerable module: - - bash -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@latest and bash@5.1-6ubuntu1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - bash@5.1-6ubuntu1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream bash package and not the bash package as distributed by Ubuntu. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    A flaw was found in the bash package, where a heap-buffer overflow can occur in valid parameter_transform. This issue may lead to memory problems.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 bash.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -

    diff --git a/docs/snyk/master/redis_7.0.14-alpine.html b/docs/snyk/master/redis_7.0.14-alpine.html index 6918363c58c8a..f47d4fe717527 100644 --- a/docs/snyk/master/redis_7.0.14-alpine.html +++ b/docs/snyk/master/redis_7.0.14-alpine.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    March 10th 2024, 12:15:48 am (UTC+00:00)

    +

    March 24th 2024, 12:15:59 am (UTC+00:00)

    Scanned the following paths: @@ -647,12 +647,12 @@

    Remediation

    Upgrade Alpine:3.19 openssl to version 3.1.4-r3 or higher.

    References

    diff --git a/docs/snyk/v2.7.17/argocd-iac-install.html b/docs/snyk/v2.7.17/argocd-iac-install.html index 32103914842e0..cfced2ce2b173 100644 --- a/docs/snyk/v2.7.17/argocd-iac-install.html +++ b/docs/snyk/v2.7.17/argocd-iac-install.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    March 10th 2024, 12:24:01 am (UTC+00:00)

    +

    March 24th 2024, 12:23:21 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v2.7.17/argocd-iac-namespace-install.html b/docs/snyk/v2.7.17/argocd-iac-namespace-install.html index 4c3ec603bbc05..f9744975422e6 100644 --- a/docs/snyk/v2.7.17/argocd-iac-namespace-install.html +++ b/docs/snyk/v2.7.17/argocd-iac-namespace-install.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    March 10th 2024, 12:24:09 am (UTC+00:00)

    +

    March 24th 2024, 12:23:30 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v2.7.17/argocd-test.html b/docs/snyk/v2.7.17/argocd-test.html index df4899cb5590f..f130f831d96d1 100644 --- a/docs/snyk/v2.7.17/argocd-test.html +++ b/docs/snyk/v2.7.17/argocd-test.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    March 10th 2024, 12:22:25 am (UTC+00:00)

    +

    March 24th 2024, 12:21:51 am (UTC+00:00)

    Scanned the following paths: diff --git a/docs/snyk/v2.7.17/ghcr.io_dexidp_dex_v2.37.0.html b/docs/snyk/v2.7.17/ghcr.io_dexidp_dex_v2.37.0.html index a699484eaeaf8..2bc1adb34dcef 100644 --- a/docs/snyk/v2.7.17/ghcr.io_dexidp_dex_v2.37.0.html +++ b/docs/snyk/v2.7.17/ghcr.io_dexidp_dex_v2.37.0.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    March 10th 2024, 12:22:31 am (UTC+00:00)

    +

    March 24th 2024, 12:21:56 am (UTC+00:00)

    Scanned the following paths: @@ -1956,12 +1956,12 @@

    Remediation

    Upgrade Alpine:3.18 openssl to version 3.1.4-r3 or higher.

    References

    diff --git a/docs/snyk/v2.7.17/haproxy_2.6.14-alpine.html b/docs/snyk/v2.7.17/haproxy_2.6.14-alpine.html index f64929c484580..4487d720d3a0c 100644 --- a/docs/snyk/v2.7.17/haproxy_2.6.14-alpine.html +++ b/docs/snyk/v2.7.17/haproxy_2.6.14-alpine.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    March 10th 2024, 12:22:35 am (UTC+00:00)

    +

    March 24th 2024, 12:22:00 am (UTC+00:00)

    Scanned the following path: @@ -1030,12 +1030,12 @@

    Remediation

    Upgrade Alpine:3.18 openssl to version 3.1.4-r3 or higher.

    References

    diff --git a/docs/snyk/v2.7.17/quay.io_argoproj_argocd_v2.7.17.html b/docs/snyk/v2.7.17/quay.io_argoproj_argocd_v2.7.17.html index 849295ba90c7f..88785b4be1777 100644 --- a/docs/snyk/v2.7.17/quay.io_argoproj_argocd_v2.7.17.html +++ b/docs/snyk/v2.7.17/quay.io_argoproj_argocd_v2.7.17.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -456,7 +456,7 @@

    Snyk test report

    -

    March 10th 2024, 12:22:57 am (UTC+00:00)

    +

    March 24th 2024, 12:22:17 am (UTC+00:00)

    Scanned the following paths: @@ -470,8 +470,8 @@

    Snyk test report

    -
    41 known vulnerabilities
    -
    198 vulnerable dependency paths
    +
    46 known vulnerabilities
    +
    224 vulnerable dependency paths
    2070 dependencies
    @@ -875,14 +875,14 @@

    Remediation

    There is no fixed version for Ubuntu:22.04 xz-utils.

    References

    @@ -951,14 +951,14 @@

    Remediation

    There is no fixed version for Ubuntu:22.04 openssh.

    References

    @@ -967,6 +967,290 @@

    References

    More about this vulnerability

    +
    +
    +

    Information Exposure

    +
    + +
    + medium severity +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v2.7.17/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:22.04 +
      • +
    • + Vulnerable module: + + libgcrypt20 +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v2.7.17 and libgcrypt20@1.9.4-3ubuntu3 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.7.17 + + libgcrypt20@1.9.4-3ubuntu3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.7.17 + + gnupg2/dirmngr@2.2.27-3ubuntu2.1 + + libgcrypt20@1.9.4-3ubuntu3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.7.17 + + gnupg2/gpg@2.2.27-3ubuntu2.1 + + libgcrypt20@1.9.4-3ubuntu3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.7.17 + + apt@2.4.11 + + apt/libapt-pkg6.0@2.4.11 + + libgcrypt20@1.9.4-3ubuntu3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.7.17 + + apt@2.4.11 + + gnupg2/gpgv@2.2.27-3ubuntu2.1 + + libgcrypt20@1.9.4-3ubuntu3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.7.17 + + gnupg2/gpg@2.2.27-3ubuntu2.1 + + gnupg2/gpgconf@2.2.27-3ubuntu2.1 + + libgcrypt20@1.9.4-3ubuntu3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.7.17 + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gnupg-utils@2.2.27-3ubuntu2.1 + + libgcrypt20@1.9.4-3ubuntu3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.7.17 + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + + libgcrypt20@1.9.4-3ubuntu3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.7.17 + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gpg-wks-client@2.2.27-3ubuntu2.1 + + libgcrypt20@1.9.4-3ubuntu3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.7.17 + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gpg-wks-server@2.2.27-3ubuntu2.1 + + libgcrypt20@1.9.4-3ubuntu3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.7.17 + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gpgsm@2.2.27-3ubuntu2.1 + + libgcrypt20@1.9.4-3ubuntu3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.7.17 + + apt@2.4.11 + + apt/libapt-pkg6.0@2.4.11 + + systemd/libsystemd0@249.11-0ubuntu3.12 + + libgcrypt20@1.9.4-3ubuntu3 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream libgcrypt20 package and not the libgcrypt20 package as distributed by Ubuntu. + See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    +

    A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:22.04 libgcrypt20.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2022-48624

    +
    + +
    + medium severity +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v2.7.17/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:22.04 +
      • +
    • + Vulnerable module: + + less +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v2.7.17 and less@590-1ubuntu0.22.04.1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.7.17 + + less@590-1ubuntu0.22.04.1 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream less package and not the less package as distributed by Ubuntu. + See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    +

    close_altfile in filename.c in less before 606 omits shell_quote calls for LESSCLOSE.

    +

    Remediation

    +

    Upgrade Ubuntu:22.04 less to version 590-1ubuntu0.22.04.2 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    +

    CVE-2024-26461

    @@ -1177,8 +1461,8 @@

    Remediation

    There is no fixed version for Ubuntu:22.04 krb5.

    References

    @@ -1397,8 +1681,8 @@

    Remediation

    There is no fixed version for Ubuntu:22.04 krb5.

    References

    @@ -1617,8 +1901,8 @@

    Remediation

    There is no fixed version for Ubuntu:22.04 krb5.

    References

    @@ -1858,12 +2142,452 @@

    Allocation of Resources Without Limits or Throttling

    Vulnerable module: - golang.org/x/net/http2 + golang.org/x/net/http2 + + +
  • Introduced through: + + helm.sh/helm/v3@* and golang.org/x/net/http2@v0.5.0 + +
    • + + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + helm.sh/helm/v3@* + + golang.org/x/net/http2@v0.5.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    golang.org/x/net/http2 is a work-in-progress HTTP/2 implementation for Go.

    +

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when MaxConcurrentStreams handler goroutines running. A a handler is started until one of the existing handlers exits.

    +

    Note:

    +

    This issue is related to CVE-2023-44487

    +

    Remediation

    +

    Upgrade golang.org/x/net/http2 to version 0.17.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Authentication Bypass by Capture-replay

    +
    + +
    + medium severity +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v2.7.17/argoproj/argo-cd/v2 /usr/local/bin/argocd +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/crypto/ssh +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v2@* and golang.org/x/crypto/ssh@v0.16.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v2@* + + golang.org/x/crypto/ssh@v0.16.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    golang.org/x/crypto/ssh is a SSH client and server

    +

    Affected versions of this package are vulnerable to Authentication Bypass by Capture-replay during the establishment of the secure channel. An attacker can manipulate handshake sequence numbers to delete messages sent immediately after the channel is established.

    +

    Note:

    +
      +

    1. Sequence numbers are only validated once the channel is established and arbitrary messages are allowed during the handshake, allowing them to manipulate the sequence numbers.

      +
      2. +

    2. The potential consequences of the general Terrapin attack are dependent on the messages exchanged after the handshake concludes. If you are using a custom SSH service and do not resort to the authentication protocol, you should check that dropping the first few messages of a connection does not yield security risks.

      +
      3. +
    +

    Impact:

    +

    While cryptographically novel, there is no discernable impact on the integrity of SSH traffic beyond giving the attacker the ability to delete the message that enables some features related to keystroke timing obfuscation. To successfully carry out the exploitation, the connection needs to be protected using either the ChaCha20-Poly1305 or CBC with Encrypt-then-MAC encryption methods. The attacker must also be able to intercept and modify the connection's traffic.

    +

    Workaround

    +

    Temporarily disable the affected chacha20-poly1305@openssh.com encryption and *-etm@openssh.com MAC algorithms in the affected configuration, and use unaffected algorithms like AES-GCM instead.

    +

    Remediation

    +

    Upgrade golang.org/x/crypto/ssh to version 0.17.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Information Exposure

    +
    + +
    + medium severity +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v2.7.17/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:22.04 +
      • +
    • + Vulnerable module: + + gnutls28/libgnutls30 +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v2.7.17 and gnutls28/libgnutls30@3.7.3-4ubuntu1.4 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.7.17 + + gnutls28/libgnutls30@3.7.3-4ubuntu1.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.7.17 + + apt@2.4.11 + + gnutls28/libgnutls30@3.7.3-4ubuntu1.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.7.17 + + gnupg2/dirmngr@2.2.27-3ubuntu2.1 + + gnutls28/libgnutls30@3.7.3-4ubuntu1.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.7.17 + + git@1:2.34.1-1ubuntu1.10 + + curl/libcurl3-gnutls@7.81.0-1ubuntu1.15 + + gnutls28/libgnutls30@3.7.3-4ubuntu1.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.7.17 + + git@1:2.34.1-1ubuntu1.10 + + curl/libcurl3-gnutls@7.81.0-1ubuntu1.15 + + openldap/libldap-2.5-0@2.5.16+dfsg-0ubuntu0.22.04.2 + + gnutls28/libgnutls30@3.7.3-4ubuntu1.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.7.17 + + git@1:2.34.1-1ubuntu1.10 + + curl/libcurl3-gnutls@7.81.0-1ubuntu1.15 + + rtmpdump/librtmp1@2.4+20151223.gitfa8646d.1-2build4 + + gnutls28/libgnutls30@3.7.3-4ubuntu1.4 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Ubuntu. + See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    +

    A flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in nonce size from 513 to 512 bits, exposing a potential timing side-channel.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:22.04 gnutls28.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Uncaught Exception

    +
    + +
    + medium severity +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v2.7.17/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:22.04 +
      • +
    • + Vulnerable module: + + gnutls28/libgnutls30 +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v2.7.17 and gnutls28/libgnutls30@3.7.3-4ubuntu1.4 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.7.17 + + gnutls28/libgnutls30@3.7.3-4ubuntu1.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.7.17 + + apt@2.4.11 + + gnutls28/libgnutls30@3.7.3-4ubuntu1.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.7.17 + + gnupg2/dirmngr@2.2.27-3ubuntu2.1 + + gnutls28/libgnutls30@3.7.3-4ubuntu1.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.7.17 + + git@1:2.34.1-1ubuntu1.10 + + curl/libcurl3-gnutls@7.81.0-1ubuntu1.15 + + gnutls28/libgnutls30@3.7.3-4ubuntu1.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.7.17 + + git@1:2.34.1-1ubuntu1.10 + + curl/libcurl3-gnutls@7.81.0-1ubuntu1.15 + + openldap/libldap-2.5-0@2.5.16+dfsg-0ubuntu0.22.04.2 + + gnutls28/libgnutls30@3.7.3-4ubuntu1.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.7.17 + + git@1:2.34.1-1ubuntu1.10 + + curl/libcurl3-gnutls@7.81.0-1ubuntu1.15 + + rtmpdump/librtmp1@2.4+20151223.gitfa8646d.1-2build4 + + gnutls28/libgnutls30@3.7.3-4ubuntu1.4 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Ubuntu. + See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    +

    A flaw has been discovered in GnuTLS where an application crash can be induced when attempting to verify a specially crafted .pem bundle using the "certtool --verify-chain" command.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:22.04 gnutls28.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    + medium severity +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v2.7.17/argoproj/argo-cd/v2 /usr/local/bin/argocd +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/r3labs/diff
    • Introduced through: - helm.sh/helm/v3@* and golang.org/x/net/http2@v0.5.0 + github.com/argoproj/argo-cd/v2@* and github.com/r3labs/diff@v1.1.0
    @@ -1876,9 +2600,9 @@

    Detailed paths

    • Introduced through: - helm.sh/helm/v3@* + github.com/argoproj/argo-cd/v2@* - golang.org/x/net/http2@v0.5.0 + github.com/r3labs/diff@v1.1.0 @@ -1889,29 +2613,17 @@

      Detailed paths

      -

      Overview

      -

      golang.org/x/net/http2 is a work-in-progress HTTP/2 implementation for Go.

      -

      Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when MaxConcurrentStreams handler goroutines running. A a handler is started until one of the existing handlers exits.

      -

      Note:

      -

      This issue is related to CVE-2023-44487

      -

      Remediation

      -

      Upgrade golang.org/x/net/http2 to version 0.17.0 or higher.

      -

      References

      - +

      MPL-2.0 license

      -

      More about this vulnerability

      +

      More about this vulnerability

    -

    Authentication Bypass by Capture-replay

    +

    MPL-2.0 license

    @@ -1928,14 +2640,14 @@

    Authentication Bypass by Capture-replay

    Package Manager: golang
  • - Vulnerable module: + Module: - golang.org/x/crypto/ssh + github.com/hashicorp/go-version
  • Introduced through: - github.com/argoproj/argo-cd/v2@* and golang.org/x/crypto/ssh@v0.16.0 + github.com/argoproj/argo-cd/v2@* and github.com/hashicorp/go-version@v1.2.1
    • @@ -1950,7 +2662,7 @@

    Detailed paths

    Introduced through: github.com/argoproj/argo-cd/v2@* - golang.org/x/crypto/ssh@v0.16.0 + github.com/hashicorp/go-version@v1.2.1 @@ -1961,45 +2673,12 @@

    Detailed paths

    -

    Overview

    -

    golang.org/x/crypto/ssh is a SSH client and server

    -

    Affected versions of this package are vulnerable to Authentication Bypass by Capture-replay during the establishment of the secure channel. An attacker can manipulate handshake sequence numbers to delete messages sent immediately after the channel is established.

    -

    Note:

    -
      -

    1. Sequence numbers are only validated once the channel is established and arbitrary messages are allowed during the handshake, allowing them to manipulate the sequence numbers.

      -
      2. -

    2. The potential consequences of the general Terrapin attack are dependent on the messages exchanged after the handshake concludes. If you are using a custom SSH service and do not resort to the authentication protocol, you should check that dropping the first few messages of a connection does not yield security risks.

      -
      3. -
    -

    Impact:

    -

    While cryptographically novel, there is no discernable impact on the integrity of SSH traffic beyond giving the attacker the ability to delete the message that enables some features related to keystroke timing obfuscation. To successfully carry out the exploitation, the connection needs to be protected using either the ChaCha20-Poly1305 or CBC with Encrypt-then-MAC encryption methods. The attacker must also be able to intercept and modify the connection's traffic.

    -

    Workaround

    -

    Temporarily disable the affected chacha20-poly1305@openssh.com encryption and *-etm@openssh.com MAC algorithms in the affected configuration, and use unaffected algorithms like AES-GCM instead.

    -

    Remediation

    -

    Upgrade golang.org/x/crypto/ssh to version 0.17.0 or higher.

    -

    References

    - +

    MPL-2.0 license

    -

    More about this vulnerability

    +

    More about this vulnerability

    @@ -2023,12 +2702,12 @@

    MPL-2.0 license

  • Module: - github.com/r3labs/diff + github.com/hashicorp/go-retryablehttp
  • Introduced through: - github.com/argoproj/argo-cd/v2@* and github.com/r3labs/diff@v1.1.0 + github.com/argoproj/argo-cd/v2@* and github.com/hashicorp/go-retryablehttp@v0.7.0
    • @@ -2043,7 +2722,7 @@

    Detailed paths

    Introduced through: github.com/argoproj/argo-cd/v2@* - github.com/r3labs/diff@v1.1.0 + github.com/hashicorp/go-retryablehttp@v0.7.0 @@ -2059,7 +2738,7 @@

    Detailed paths

    -

    More about this vulnerability

    +

    More about this vulnerability

    @@ -2083,12 +2762,12 @@

    MPL-2.0 license

  • Module: - github.com/hashicorp/go-version + github.com/hashicorp/go-cleanhttp
  • Introduced through: - github.com/argoproj/argo-cd/v2@* and github.com/hashicorp/go-version@v1.2.1 + github.com/argoproj/argo-cd/v2@* and github.com/hashicorp/go-cleanhttp@v0.5.2
    • @@ -2103,7 +2782,7 @@

    Detailed paths

    Introduced through: github.com/argoproj/argo-cd/v2@* - github.com/hashicorp/go-version@v1.2.1 + github.com/hashicorp/go-cleanhttp@v0.5.2 @@ -2119,7 +2798,7 @@

    Detailed paths

    -

    More about this vulnerability

    +

    More about this vulnerability

    @@ -2143,12 +2822,12 @@

    MPL-2.0 license

  • Module: - github.com/hashicorp/go-retryablehttp + github.com/gosimple/slug
  • Introduced through: - github.com/argoproj/argo-cd/v2@* and github.com/hashicorp/go-retryablehttp@v0.7.0 + github.com/argoproj/argo-cd/v2@* and github.com/gosimple/slug@v1.13.1
    • @@ -2163,7 +2842,7 @@

    Detailed paths

    Introduced through: github.com/argoproj/argo-cd/v2@* - github.com/hashicorp/go-retryablehttp@v0.7.0 + github.com/gosimple/slug@v1.13.1 @@ -2179,12 +2858,12 @@

    Detailed paths

    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    MPL-2.0 license

    +

    Denial of Service (DoS)

    @@ -2195,20 +2874,20 @@

    MPL-2.0 license

    • - Manifest file: quay.io/argoproj/argocd:v2.7.17/argoproj/argo-cd/v2 /usr/local/bin/argocd + Manifest file: quay.io/argoproj/argocd:v2.7.17/helm/v3 /usr/local/bin/helm
    • Package Manager: golang
    • - Module: + Vulnerable module: - github.com/hashicorp/go-cleanhttp + github.com/docker/distribution/registry/api/v2
    • Introduced through: - github.com/argoproj/argo-cd/v2@* and github.com/hashicorp/go-cleanhttp@v0.5.2 + helm.sh/helm/v3@* and github.com/docker/distribution/registry/api/v2@v2.8.1+incompatible
    @@ -2221,9 +2900,9 @@

    Detailed paths

    • Introduced through: - github.com/argoproj/argo-cd/v2@* + helm.sh/helm/v3@* - github.com/hashicorp/go-cleanhttp@v0.5.2 + github.com/docker/distribution/registry/api/v2@v2.8.1+incompatible @@ -2234,17 +2913,26 @@

      Detailed paths

      -

      MPL-2.0 license

      +

      Overview

      +

      Affected versions of this package are vulnerable to Denial of Service (DoS) due to improper validation of the value passed to the n parameter in the /v2/_catalog endpoint. + Exploiting this vulnerability is possible by sending a crafted malicious request to the /v2/_catalog API endpoint, which results in an allocation of a massive string array and excessive use of memory.

      +

      Remediation

      +

      Upgrade github.com/docker/distribution/registry/api/v2 to version 2.8.2-beta.1 or higher.

      +

      References

      +
      -

      More about this vulnerability

      +

      More about this vulnerability

    -

    MPL-2.0 license

    +

    Resource Exhaustion

    @@ -2255,21 +2943,21 @@

    MPL-2.0 license

    • - Manifest file: quay.io/argoproj/argocd:v2.7.17/argoproj/argo-cd/v2 /usr/local/bin/argocd + Manifest file: quay.io/argoproj/argocd:v2.7.17/argoproj/argocd Dockerfile
    • - Package Manager: golang + Package Manager: ubuntu:22.04
    • - Module: + Vulnerable module: - github.com/gosimple/slug + expat/libexpat1
    • Introduced through: - github.com/argoproj/argo-cd/v2@* and github.com/gosimple/slug@v1.13.1 + docker-image|quay.io/argoproj/argocd@v2.7.17, git@1:2.34.1-1ubuntu1.10 and others
    @@ -2281,9 +2969,11 @@

    Detailed paths

    -

    Denial of Service (DoS)

    +

    CVE-2024-28757

    @@ -2315,21 +3017,21 @@

    Denial of Service (DoS)

    • - Manifest file: quay.io/argoproj/argocd:v2.7.17/helm/v3 /usr/local/bin/helm + Manifest file: quay.io/argoproj/argocd:v2.7.17/argoproj/argocd Dockerfile
    • - Package Manager: golang + Package Manager: ubuntu:22.04
    • Vulnerable module: - github.com/docker/distribution/registry/api/v2 + expat/libexpat1
    • Introduced through: - helm.sh/helm/v3@* and github.com/docker/distribution/registry/api/v2@v2.8.1+incompatible + docker-image|quay.io/argoproj/argocd@v2.7.17, git@1:2.34.1-1ubuntu1.10 and others
    @@ -2341,9 +3043,11 @@

    Detailed paths

    -

    Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

    +

    Out-of-bounds Write

    @@ -2392,13 +3102,13 @@

    Improper Restriction of Recursive Entity References in D
  • Vulnerable module: - expat/libexpat1 + bash
  • Introduced through: + docker-image|quay.io/argoproj/argocd@v2.7.17 and bash@5.1-6ubuntu1 - docker-image|quay.io/argoproj/argocd@v2.7.17, git@1:2.34.1-1ubuntu1.10 and others
    • @@ -2412,9 +3122,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.7.17 - git@1:2.34.1-1ubuntu1.10 - - expat/libexpat1@2.4.7-1ubuntu0.2 + bash@5.1-6ubuntu1 @@ -2426,23 +3134,21 @@

    Detailed paths

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. +

    Note: Versions mentioned in the description apply only to the upstream bash package and not the bash package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.

    +

    A flaw was found in the bash package, where a heap-buffer overflow can occur in valid parameter_transform. This issue may lead to memory problems.

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 expat.

    +

    Upgrade Ubuntu:22.04 bash to version 5.1-6ubuntu1.1 or higher.

    References

    -

    More about this vulnerability

    +

    More about this vulnerability

    @@ -2606,13 +3312,13 @@

    Remediation

    There is no fixed version for Ubuntu:22.04 systemd.

    References

    @@ -2712,11 +3418,11 @@

    Remediation

    There is no fixed version for Ubuntu:22.04 shadow.

    References

    @@ -2816,11 +3522,11 @@

    Remediation

    Upgrade Ubuntu:22.04 shadow to version 1:4.8.1-2ubuntu2.2 or higher.

    References

    @@ -2977,8 +3683,8 @@

    Remediation

    There is no fixed version for Ubuntu:22.04 patch.

    References

    @@ -3455,13 +4161,13 @@

    Remediation

    Upgrade Ubuntu:22.04 openssl to version 3.0.2-0ubuntu1.14 or higher.

    References

    @@ -4087,11 +4793,11 @@

    Remediation

    There is no fixed version for Ubuntu:22.04 ncurses.

    References

    @@ -4351,8 +5057,9 @@

    Remediation

    There is no fixed version for Ubuntu:22.04 ncurses.

    References

    @@ -4648,12 +5355,12 @@

    Remediation

    There is no fixed version for Ubuntu:22.04 krb5.

    References

    @@ -5317,11 +6024,11 @@

    Remediation

    There is no fixed version for Ubuntu:22.04 gcc-12.

    References

    @@ -5405,76 +6112,6 @@

    References

    -
    -

    Out-of-bounds Write

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.7.17/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:22.04 -
      • -
    • - Vulnerable module: - - bash -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v2.7.17 and bash@5.1-6ubuntu1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.17 - - bash@5.1-6ubuntu1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream bash package and not the bash package as distributed by Ubuntu. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    A flaw was found in the bash package, where a heap-buffer overflow can occur in valid parameter_transform. This issue may lead to memory problems.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 bash.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    diff --git a/docs/snyk/v2.7.17/redis_7.0.14-alpine.html b/docs/snyk/v2.7.17/redis_7.0.14-alpine.html index 7eb688894a137..ea9cd5f9152fd 100644 --- a/docs/snyk/v2.7.17/redis_7.0.14-alpine.html +++ b/docs/snyk/v2.7.17/redis_7.0.14-alpine.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    March 10th 2024, 12:23:00 am (UTC+00:00)

    +

    March 24th 2024, 12:22:21 am (UTC+00:00)

    Scanned the following paths: @@ -647,12 +647,12 @@

    Remediation

    Upgrade Alpine:3.19 openssl to version 3.1.4-r3 or higher.

    References

    diff --git a/docs/snyk/v2.8.11/argocd-iac-install.html b/docs/snyk/v2.8.13/argocd-iac-install.html similarity index 99% rename from docs/snyk/v2.8.11/argocd-iac-install.html rename to docs/snyk/v2.8.13/argocd-iac-install.html index 27fddcc48a072..8e0c8abdd40c3 100644 --- a/docs/snyk/v2.8.11/argocd-iac-install.html +++ b/docs/snyk/v2.8.13/argocd-iac-install.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    March 10th 2024, 12:22:02 am (UTC+00:00)

    +

    March 24th 2024, 12:21:30 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v2.8.11/argocd-iac-namespace-install.html b/docs/snyk/v2.8.13/argocd-iac-namespace-install.html similarity index 99% rename from docs/snyk/v2.8.11/argocd-iac-namespace-install.html rename to docs/snyk/v2.8.13/argocd-iac-namespace-install.html index d98febaa6d6d8..17296cd003c37 100644 --- a/docs/snyk/v2.8.11/argocd-iac-namespace-install.html +++ b/docs/snyk/v2.8.13/argocd-iac-namespace-install.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    March 10th 2024, 12:22:11 am (UTC+00:00)

    +

    March 24th 2024, 12:21:38 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v2.8.11/argocd-test.html b/docs/snyk/v2.8.13/argocd-test.html similarity index 99% rename from docs/snyk/v2.8.11/argocd-test.html rename to docs/snyk/v2.8.13/argocd-test.html index 28855fd7a720d..8f02f01423f2f 100644 --- a/docs/snyk/v2.8.11/argocd-test.html +++ b/docs/snyk/v2.8.13/argocd-test.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    March 10th 2024, 12:20:21 am (UTC+00:00)

    +

    March 24th 2024, 12:19:50 am (UTC+00:00)

    Scanned the following paths: diff --git a/docs/snyk/v2.9.7/ghcr.io_dexidp_dex_v2.37.0.html b/docs/snyk/v2.8.13/ghcr.io_dexidp_dex_v2.37.0.html similarity index 99% rename from docs/snyk/v2.9.7/ghcr.io_dexidp_dex_v2.37.0.html rename to docs/snyk/v2.8.13/ghcr.io_dexidp_dex_v2.37.0.html index 1cfab79a9b848..24a737a6ba12f 100644 --- a/docs/snyk/v2.9.7/ghcr.io_dexidp_dex_v2.37.0.html +++ b/docs/snyk/v2.8.13/ghcr.io_dexidp_dex_v2.37.0.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    March 10th 2024, 12:18:13 am (UTC+00:00)

    +

    March 24th 2024, 12:19:56 am (UTC+00:00)

    Scanned the following paths: @@ -1956,12 +1956,12 @@

    Remediation

    Upgrade Alpine:3.18 openssl to version 3.1.4-r3 or higher.

    References

    diff --git a/docs/snyk/v2.9.7/haproxy_2.6.14-alpine.html b/docs/snyk/v2.8.13/haproxy_2.6.14-alpine.html similarity index 98% rename from docs/snyk/v2.9.7/haproxy_2.6.14-alpine.html rename to docs/snyk/v2.8.13/haproxy_2.6.14-alpine.html index 6faea3eff8d59..b2b3a76ed356e 100644 --- a/docs/snyk/v2.9.7/haproxy_2.6.14-alpine.html +++ b/docs/snyk/v2.8.13/haproxy_2.6.14-alpine.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    March 10th 2024, 12:18:17 am (UTC+00:00)

    +

    March 24th 2024, 12:20:01 am (UTC+00:00)

    Scanned the following path: @@ -1030,12 +1030,12 @@

    Remediation

    Upgrade Alpine:3.18 openssl to version 3.1.4-r3 or higher.

    References

    diff --git a/docs/snyk/v2.9.7/quay.io_argoproj_argocd_v2.9.7.html b/docs/snyk/v2.8.13/quay.io_argoproj_argocd_v2.8.13.html similarity index 79% rename from docs/snyk/v2.9.7/quay.io_argoproj_argocd_v2.9.7.html rename to docs/snyk/v2.8.13/quay.io_argoproj_argocd_v2.8.13.html index b93ca0d8da6f5..01078e7e7a861 100644 --- a/docs/snyk/v2.9.7/quay.io_argoproj_argocd_v2.9.7.html +++ b/docs/snyk/v2.8.13/quay.io_argoproj_argocd_v2.8.13.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -456,23 +456,23 @@

    Snyk test report

    -

    March 10th 2024, 12:18:37 am (UTC+00:00)

    +

    March 24th 2024, 12:20:18 am (UTC+00:00)

    Scanned the following paths:
      -
    • quay.io/argoproj/argocd:v2.9.7/argoproj/argocd/Dockerfile (deb)
      • -
    • quay.io/argoproj/argocd:v2.9.7/argoproj/argo-cd/v2//usr/local/bin/argocd (gomodules)
      • -
    • quay.io/argoproj/argocd:v2.9.7//usr/local/bin/kustomize (gomodules)
      • -
    • quay.io/argoproj/argocd:v2.9.7/helm/v3//usr/local/bin/helm (gomodules)
      • -
    • quay.io/argoproj/argocd:v2.9.7/git-lfs/git-lfs//usr/bin/git-lfs (gomodules)
      • +
    • quay.io/argoproj/argocd:v2.8.13/argoproj/argocd/Dockerfile (deb)
      • +
    • quay.io/argoproj/argocd:v2.8.13/argoproj/argo-cd/v2//usr/local/bin/argocd (gomodules)
      • +
    • quay.io/argoproj/argocd:v2.8.13/kustomize/kustomize/v5//usr/local/bin/kustomize (gomodules)
      • +
    • quay.io/argoproj/argocd:v2.8.13/helm/v3//usr/local/bin/helm (gomodules)
      • +
    • quay.io/argoproj/argocd:v2.8.13/git-lfs/git-lfs//usr/bin/git-lfs (gomodules)
    -
    34 known vulnerabilities
    -
    156 vulnerable dependency paths
    -
    2189 dependencies
    +
    39 known vulnerabilities
    +
    182 vulnerable dependency paths
    +
    2120 dependencies
    @@ -492,7 +492,7 @@

    Denial of Service (DoS)

    • - Manifest file: quay.io/argoproj/argocd:v2.9.7/argoproj/argo-cd/v2 /usr/local/bin/argocd + Manifest file: quay.io/argoproj/argocd:v2.8.13/helm/v3 /usr/local/bin/helm
    • Package Manager: golang @@ -500,12 +500,12 @@

      Denial of Service (DoS)

    • Vulnerable module: - google.golang.org/grpc + golang.org/x/net/http2
    • Introduced through: - github.com/argoproj/argo-cd/v2@* and google.golang.org/grpc@v1.56.2 + helm.sh/helm/v3@* and golang.org/x/net/http2@v0.8.0
    @@ -518,9 +518,9 @@

    Detailed paths

    • Introduced through: - github.com/argoproj/argo-cd/v2@* + helm.sh/helm/v3@* - google.golang.org/grpc@v1.56.2 + golang.org/x/net/http2@v0.8.0 @@ -532,10 +532,10 @@

      Detailed paths

      Overview

      -

      google.golang.org/grpc is a Go implementation of gRPC

      +

      golang.org/x/net/http2 is a work-in-progress HTTP/2 implementation for Go.

      Affected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.

      Remediation

      -

      Upgrade google.golang.org/grpc to version 1.56.3, 1.57.1, 1.58.3 or higher.

      +

      Upgrade golang.org/x/net/http2 to version 0.17.0 or higher.

      References

    +
    +

    Denial of Service (DoS)

    +
    + +
    + high severity +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v2.8.13/argoproj/argo-cd/v2 /usr/local/bin/argocd +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + github.com/go-jose/go-jose/v3 +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v2@* and github.com/go-jose/go-jose/v3@v3.0.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v2@* + + github.com/go-jose/go-jose/v3@v3.0.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Denial of Service (DoS) when decrypting JWE inputs. An attacker can cause a denial-of-service by providing a PBES2 encrypted JWE blob with a very large p2c value.

    +

    Details

    +

    Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

    +

    Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

    +

    One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

    +

    When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

    +

    Two common types of DoS vulnerabilities:

    +
      +

    • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

      +
      • +

    • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

      +
      • +
    +

    Remediation

    +

    Upgrade github.com/go-jose/go-jose/v3 to version 3.0.1 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Directory Traversal

    +
    + +
    + high severity +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v2.8.13/helm/v3 /usr/local/bin/helm +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + github.com/cyphar/filepath-securejoin +
      • + +
    • Introduced through: + + helm.sh/helm/v3@* and github.com/cyphar/filepath-securejoin@v0.2.3 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + helm.sh/helm/v3@* + + github.com/cyphar/filepath-securejoin@v0.2.3 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Directory Traversal via the filepath.FromSlash() function, allwoing attackers to generate paths that were outside of the provided rootfs.

    +

    Note: + This vulnerability is only exploitable on Windows OS.

    +

    Details

    +

    A Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with "dot-dot-slash (../)" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.

    +

    Directory Traversal vulnerabilities can be generally divided into two types:

    +
      +
    • Information Disclosure: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.
      • +
    +

    st is a module for serving static files on web pages, and contains a vulnerability of this type. In our example, we will serve files from the public route.

    +

    If an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.

    + 
    curl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa
+
    +

    Note %2e is the URL encoded version of . (dot).

    +
      +
    • Writing arbitrary files: Allows the attacker to create or replace existing files. This type of vulnerability is also known as Zip-Slip.
      • +
    +

    One way to achieve this is by using a malicious zip archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.

    +

    The following is an example of a zip archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in /root/.ssh/ overwriting the authorized_keys file:

    + 
    2018-04-15 22:04:29 .....           19           19  good.txt
+        2018-04-15 22:04:42 .....           20           20  ../../../../../../root/.ssh/authorized_keys
+
    +

    Remediation

    +

    Upgrade github.com/cyphar/filepath-securejoin to version 0.2.4 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    @@ -573,7 +743,7 @@

    CVE-2020-22916

    • - Manifest file: quay.io/argoproj/argocd:v2.9.7/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.8.13/argoproj/argocd Dockerfile
    • Package Manager: ubuntu:22.04 @@ -586,7 +756,7 @@

      CVE-2020-22916

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 and xz-utils/liblzma5@5.2.5-2ubuntu1 + docker-image|quay.io/argoproj/argocd@v2.8.13 and xz-utils/liblzma5@5.2.5-2ubuntu1
    @@ -599,7 +769,7 @@

    Detailed paths

    +
    +
    +

    Information Exposure

    +
    + +
    + medium severity +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v2.8.13/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:22.04 +
      • +
    • + Vulnerable module: + + libgcrypt20 +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v2.8.13 and libgcrypt20@1.9.4-3ubuntu3 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.13 + + libgcrypt20@1.9.4-3ubuntu3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.13 + + gnupg2/dirmngr@2.2.27-3ubuntu2.1 + + libgcrypt20@1.9.4-3ubuntu3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.13 + + gnupg2/gpg@2.2.27-3ubuntu2.1 + + libgcrypt20@1.9.4-3ubuntu3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.13 + + apt@2.4.11 + + apt/libapt-pkg6.0@2.4.11 + + libgcrypt20@1.9.4-3ubuntu3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.13 + + apt@2.4.11 + + gnupg2/gpgv@2.2.27-3ubuntu2.1 + + libgcrypt20@1.9.4-3ubuntu3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.13 + + gnupg2/gpg@2.2.27-3ubuntu2.1 + + gnupg2/gpgconf@2.2.27-3ubuntu2.1 + + libgcrypt20@1.9.4-3ubuntu3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.13 + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gnupg-utils@2.2.27-3ubuntu2.1 + + libgcrypt20@1.9.4-3ubuntu3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.13 + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + + libgcrypt20@1.9.4-3ubuntu3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.13 + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gpg-wks-client@2.2.27-3ubuntu2.1 + + libgcrypt20@1.9.4-3ubuntu3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.13 + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gpg-wks-server@2.2.27-3ubuntu2.1 + + libgcrypt20@1.9.4-3ubuntu3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.13 + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gpgsm@2.2.27-3ubuntu2.1 + + libgcrypt20@1.9.4-3ubuntu3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.13 + + apt@2.4.11 + + apt/libapt-pkg6.0@2.4.11 + + systemd/libsystemd0@249.11-0ubuntu3.12 + + libgcrypt20@1.9.4-3ubuntu3 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream libgcrypt20 package and not the libgcrypt20 package as distributed by Ubuntu. + See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    +

    A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:22.04 libgcrypt20.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    +

    CVE-2024-26461

    @@ -725,7 +1107,7 @@

    CVE-2024-26461

    • - Manifest file: quay.io/argoproj/argocd:v2.9.7/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.8.13/argoproj/argocd Dockerfile
    • Package Manager: ubuntu:22.04 @@ -738,7 +1120,7 @@

      CVE-2024-26461

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 and krb5/libk5crypto3@1.19.2-2ubuntu0.3 + docker-image|quay.io/argoproj/argocd@v2.8.13 and krb5/libk5crypto3@1.19.2-2ubuntu0.3
    @@ -751,7 +1133,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -760,7 +1142,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 adduser@3.118ubuntu5 @@ -781,7 +1163,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 adduser@3.118ubuntu5 @@ -804,7 +1186,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 krb5/libkrb5-3@1.19.2-2ubuntu0.3 @@ -813,7 +1195,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 adduser@3.118ubuntu5 @@ -834,7 +1216,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -843,7 +1225,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 openssh/openssh-client@1:8.9p1-3ubuntu0.6 @@ -854,7 +1236,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 git@1:2.34.1-1ubuntu1.10 @@ -867,7 +1249,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 git@1:2.34.1-1ubuntu1.10 @@ -882,7 +1264,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 adduser@3.118ubuntu5 @@ -901,7 +1283,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 krb5/libkrb5support0@1.19.2-2ubuntu0.3 @@ -922,8 +1304,8 @@

      Remediation

      There is no fixed version for Ubuntu:22.04 krb5.

      References

      @@ -945,7 +1327,7 @@

      CVE-2024-26462

      • - Manifest file: quay.io/argoproj/argocd:v2.9.7/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.8.13/argoproj/argocd Dockerfile
      • Package Manager: ubuntu:22.04 @@ -958,7 +1340,7 @@

        CVE-2024-26462

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 and krb5/libk5crypto3@1.19.2-2ubuntu0.3 + docker-image|quay.io/argoproj/argocd@v2.8.13 and krb5/libk5crypto3@1.19.2-2ubuntu0.3
      @@ -971,7 +1353,7 @@

      Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -980,7 +1362,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 adduser@3.118ubuntu5 @@ -1001,7 +1383,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 adduser@3.118ubuntu5 @@ -1024,7 +1406,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 krb5/libkrb5-3@1.19.2-2ubuntu0.3 @@ -1033,7 +1415,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 adduser@3.118ubuntu5 @@ -1054,7 +1436,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -1063,7 +1445,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 openssh/openssh-client@1:8.9p1-3ubuntu0.6 @@ -1074,7 +1456,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 git@1:2.34.1-1ubuntu1.10 @@ -1087,7 +1469,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 git@1:2.34.1-1ubuntu1.10 @@ -1102,7 +1484,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 adduser@3.118ubuntu5 @@ -1121,7 +1503,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 krb5/libkrb5support0@1.19.2-2ubuntu0.3 @@ -1142,8 +1524,8 @@

        Remediation

        There is no fixed version for Ubuntu:22.04 krb5.

        References

        @@ -1165,7 +1547,7 @@

        CVE-2024-26458

        • - Manifest file: quay.io/argoproj/argocd:v2.9.7/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.8.13/argoproj/argocd Dockerfile
        • Package Manager: ubuntu:22.04 @@ -1178,7 +1560,7 @@

          CVE-2024-26458

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 and krb5/libk5crypto3@1.19.2-2ubuntu0.3 + docker-image|quay.io/argoproj/argocd@v2.8.13 and krb5/libk5crypto3@1.19.2-2ubuntu0.3
        @@ -1191,7 +1573,7 @@

        Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -1200,7 +1582,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 adduser@3.118ubuntu5 @@ -1221,7 +1603,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 adduser@3.118ubuntu5 @@ -1244,7 +1626,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 krb5/libkrb5-3@1.19.2-2ubuntu0.3 @@ -1253,7 +1635,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 adduser@3.118ubuntu5 @@ -1274,7 +1656,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -1283,7 +1665,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 openssh/openssh-client@1:8.9p1-3ubuntu0.6 @@ -1294,7 +1676,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 git@1:2.34.1-1ubuntu1.10 @@ -1307,7 +1689,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 git@1:2.34.1-1ubuntu1.10 @@ -1322,7 +1704,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 adduser@3.118ubuntu5 @@ -1341,7 +1723,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 krb5/libkrb5support0@1.19.2-2ubuntu0.3 @@ -1362,8 +1744,8 @@

          Remediation

          There is no fixed version for Ubuntu:22.04 krb5.

          References

          @@ -1385,7 +1767,7 @@

          LGPL-3.0 license

          • - Manifest file: quay.io/argoproj/argocd:v2.9.7/argoproj/argo-cd/v2 /usr/local/bin/argocd + Manifest file: quay.io/argoproj/argocd:v2.8.13/argoproj/argo-cd/v2 /usr/local/bin/argocd
          • Package Manager: golang @@ -1445,7 +1827,7 @@

            Infinite loop

            • - Manifest file: quay.io/argoproj/argocd:v2.9.7/argoproj/argo-cd/v2 /usr/local/bin/argocd + Manifest file: quay.io/argoproj/argocd:v2.8.13/argoproj/argo-cd/v2 /usr/local/bin/argocd
            • Package Manager: golang @@ -1516,7 +1898,7 @@

              Stack-based Buffer Overflow

              • - Manifest file: quay.io/argoproj/argocd:v2.9.7/argoproj/argo-cd/v2 /usr/local/bin/argocd + Manifest file: quay.io/argoproj/argocd:v2.8.13/argoproj/argo-cd/v2 /usr/local/bin/argocd
              • Package Manager: golang @@ -1568,12 +1950,248 @@

                References

                -

                More about this vulnerability

                +

                More about this vulnerability

                +
                + +
    +
    +

    Infinite loop

    +
    + +
    + medium severity +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v2.8.13/argoproj/argo-cd/v2 /usr/local/bin/argocd +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + google.golang.org/protobuf/encoding/protojson +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/encoding/protojson@v1.31.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v2@* + + google.golang.org/protobuf/encoding/protojson@v1.31.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Infinite loop via the protojson.Unmarshal function. An attacker can cause a denial of service condition by unmarshaling certain forms of invalid JSON.

    +

    Note:

    +

    This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

    +

    Remediation

    +

    Upgrade google.golang.org/protobuf/encoding/protojson to version 1.33.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Allocation of Resources Without Limits or Throttling

    +
    + +
    + medium severity +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v2.8.13/helm/v3 /usr/local/bin/helm +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/net/http2 +
      • + +
    • Introduced through: + + helm.sh/helm/v3@* and golang.org/x/net/http2@v0.8.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + helm.sh/helm/v3@* + + golang.org/x/net/http2@v0.8.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    golang.org/x/net/http2 is a work-in-progress HTTP/2 implementation for Go.

    +

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when MaxConcurrentStreams handler goroutines running. A a handler is started until one of the existing handlers exits.

    +

    Note:

    +

    This issue is related to CVE-2023-44487

    +

    Remediation

    +

    Upgrade golang.org/x/net/http2 to version 0.17.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Authentication Bypass by Capture-replay

    +
    + +
    + medium severity +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v2.8.13/argoproj/argo-cd/v2 /usr/local/bin/argocd +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/crypto/ssh +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v2@* and golang.org/x/crypto/ssh@v0.16.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v2@* + + golang.org/x/crypto/ssh@v0.16.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    golang.org/x/crypto/ssh is a SSH client and server

    +

    Affected versions of this package are vulnerable to Authentication Bypass by Capture-replay during the establishment of the secure channel. An attacker can manipulate handshake sequence numbers to delete messages sent immediately after the channel is established.

    +

    Note:

    +
      +

    1. Sequence numbers are only validated once the channel is established and arbitrary messages are allowed during the handshake, allowing them to manipulate the sequence numbers.

      +
      2. +

    2. The potential consequences of the general Terrapin attack are dependent on the messages exchanged after the handshake concludes. If you are using a custom SSH service and do not resort to the authentication protocol, you should check that dropping the first few messages of a connection does not yield security risks.

      +
      3. +
    +

    Impact:

    +

    While cryptographically novel, there is no discernable impact on the integrity of SSH traffic beyond giving the attacker the ability to delete the message that enables some features related to keystroke timing obfuscation. To successfully carry out the exploitation, the connection needs to be protected using either the ChaCha20-Poly1305 or CBC with Encrypt-then-MAC encryption methods. The attacker must also be able to intercept and modify the connection's traffic.

    +

    Workaround

    +

    Temporarily disable the affected chacha20-poly1305@openssh.com encryption and *-etm@openssh.com MAC algorithms in the affected configuration, and use unaffected algorithms like AES-GCM instead.

    +

    Remediation

    +

    Upgrade golang.org/x/crypto/ssh to version 0.17.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    -

    Infinite loop

    +

    Information Exposure

    @@ -1584,20 +2202,20 @@

    Infinite loop

    • - Manifest file: quay.io/argoproj/argocd:v2.9.7/argoproj/argo-cd/v2 /usr/local/bin/argocd + Manifest file: quay.io/argoproj/argocd:v2.8.13/argoproj/argocd Dockerfile
    • - Package Manager: golang + Package Manager: ubuntu:22.04
    • Vulnerable module: - google.golang.org/protobuf/encoding/protojson + gnutls28/libgnutls30
    • Introduced through: - github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/encoding/protojson@v1.31.0 + docker-image|quay.io/argoproj/argocd@v2.8.13 and gnutls28/libgnutls30@3.7.3-4ubuntu1.4
    @@ -1610,9 +2228,74 @@

    Detailed paths

    • Introduced through: - github.com/argoproj/argo-cd/v2@* + docker-image|quay.io/argoproj/argocd@v2.8.13 - google.golang.org/protobuf/encoding/protojson@v1.31.0 + gnutls28/libgnutls30@3.7.3-4ubuntu1.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.13 + + apt@2.4.11 + + gnutls28/libgnutls30@3.7.3-4ubuntu1.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.13 + + gnupg2/dirmngr@2.2.27-3ubuntu2.1 + + gnutls28/libgnutls30@3.7.3-4ubuntu1.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.13 + + git@1:2.34.1-1ubuntu1.10 + + curl/libcurl3-gnutls@7.81.0-1ubuntu1.15 + + gnutls28/libgnutls30@3.7.3-4ubuntu1.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.13 + + git@1:2.34.1-1ubuntu1.10 + + curl/libcurl3-gnutls@7.81.0-1ubuntu1.15 + + openldap/libldap-2.5-0@2.5.17+dfsg-0ubuntu0.22.04.1 + + gnutls28/libgnutls30@3.7.3-4ubuntu1.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.13 + + git@1:2.34.1-1ubuntu1.10 + + curl/libcurl3-gnutls@7.81.0-1ubuntu1.15 + + rtmpdump/librtmp1@2.4+20151223.gitfa8646d.1-2build4 + + gnutls28/libgnutls30@3.7.3-4ubuntu1.4 @@ -1623,28 +2306,30 @@

      Detailed paths

      -

      Overview

      -

      Affected versions of this package are vulnerable to Infinite loop via the protojson.Unmarshal function. An attacker can cause a denial of service condition by unmarshaling certain forms of invalid JSON.

      -

      Note:

      -

      This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

      +

      NVD Description

      +

      Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Ubuntu. + See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

      +

      A flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in nonce size from 513 to 512 bits, exposing a potential timing side-channel.

      Remediation

      -

      Upgrade google.golang.org/protobuf/encoding/protojson to version 1.33.0 or higher.

      +

      There is no fixed version for Ubuntu:22.04 gnutls28.

      References

      -

      More about this vulnerability

      +

      More about this vulnerability

    -

    Authentication Bypass by Capture-replay

    +

    Uncaught Exception

    @@ -1655,20 +2340,20 @@

    Authentication Bypass by Capture-replay

    • - Manifest file: quay.io/argoproj/argocd:v2.9.7/argoproj/argo-cd/v2 /usr/local/bin/argocd + Manifest file: quay.io/argoproj/argocd:v2.8.13/argoproj/argocd Dockerfile
    • - Package Manager: golang + Package Manager: ubuntu:22.04
    • Vulnerable module: - golang.org/x/crypto/ssh + gnutls28/libgnutls30
    • Introduced through: - github.com/argoproj/argo-cd/v2@* and golang.org/x/crypto/ssh@v0.16.0 + docker-image|quay.io/argoproj/argocd@v2.8.13 and gnutls28/libgnutls30@3.7.3-4ubuntu1.4
    @@ -1681,9 +2366,74 @@

    Detailed paths

    • Introduced through: - github.com/argoproj/argo-cd/v2@* + docker-image|quay.io/argoproj/argocd@v2.8.13 - golang.org/x/crypto/ssh@v0.16.0 + gnutls28/libgnutls30@3.7.3-4ubuntu1.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.13 + + apt@2.4.11 + + gnutls28/libgnutls30@3.7.3-4ubuntu1.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.13 + + gnupg2/dirmngr@2.2.27-3ubuntu2.1 + + gnutls28/libgnutls30@3.7.3-4ubuntu1.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.13 + + git@1:2.34.1-1ubuntu1.10 + + curl/libcurl3-gnutls@7.81.0-1ubuntu1.15 + + gnutls28/libgnutls30@3.7.3-4ubuntu1.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.13 + + git@1:2.34.1-1ubuntu1.10 + + curl/libcurl3-gnutls@7.81.0-1ubuntu1.15 + + openldap/libldap-2.5-0@2.5.17+dfsg-0ubuntu0.22.04.1 + + gnutls28/libgnutls30@3.7.3-4ubuntu1.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.13 + + git@1:2.34.1-1ubuntu1.10 + + curl/libcurl3-gnutls@7.81.0-1ubuntu1.15 + + rtmpdump/librtmp1@2.4+20151223.gitfa8646d.1-2build4 + + gnutls28/libgnutls30@3.7.3-4ubuntu1.4 @@ -1694,45 +2444,24 @@

      Detailed paths

      -

      Overview

      -

      golang.org/x/crypto/ssh is a SSH client and server

      -

      Affected versions of this package are vulnerable to Authentication Bypass by Capture-replay during the establishment of the secure channel. An attacker can manipulate handshake sequence numbers to delete messages sent immediately after the channel is established.

      -

      Note:

      -
        -

      1. Sequence numbers are only validated once the channel is established and arbitrary messages are allowed during the handshake, allowing them to manipulate the sequence numbers.

        -
        2. -

      2. The potential consequences of the general Terrapin attack are dependent on the messages exchanged after the handshake concludes. If you are using a custom SSH service and do not resort to the authentication protocol, you should check that dropping the first few messages of a connection does not yield security risks.

        -
        3. -
      -

      Impact:

      -

      While cryptographically novel, there is no discernable impact on the integrity of SSH traffic beyond giving the attacker the ability to delete the message that enables some features related to keystroke timing obfuscation. To successfully carry out the exploitation, the connection needs to be protected using either the ChaCha20-Poly1305 or CBC with Encrypt-then-MAC encryption methods. The attacker must also be able to intercept and modify the connection's traffic.

      -

      Workaround

      -

      Temporarily disable the affected chacha20-poly1305@openssh.com encryption and *-etm@openssh.com MAC algorithms in the affected configuration, and use unaffected algorithms like AES-GCM instead.

      +

      NVD Description

      +

      Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Ubuntu. + See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

      +

      A flaw has been discovered in GnuTLS where an application crash can be induced when attempting to verify a specially crafted .pem bundle using the "certtool --verify-chain" command.

      Remediation

      -

      Upgrade golang.org/x/crypto/ssh to version 0.17.0 or higher.

      +

      There is no fixed version for Ubuntu:22.04 gnutls28.

      References

      -

      More about this vulnerability

      +

      More about this vulnerability

    @@ -1748,7 +2477,7 @@

    MPL-2.0 license

    • - Manifest file: quay.io/argoproj/argocd:v2.9.7/argoproj/argo-cd/v2 /usr/local/bin/argocd + Manifest file: quay.io/argoproj/argocd:v2.8.13/argoproj/argo-cd/v2 /usr/local/bin/argocd
    • Package Manager: golang @@ -1808,7 +2537,7 @@

      MPL-2.0 license

      • - Manifest file: quay.io/argoproj/argocd:v2.9.7/argoproj/argo-cd/v2 /usr/local/bin/argocd + Manifest file: quay.io/argoproj/argocd:v2.8.13/argoproj/argo-cd/v2 /usr/local/bin/argocd
      • Package Manager: golang @@ -1868,7 +2597,7 @@

        MPL-2.0 license

        • - Manifest file: quay.io/argoproj/argocd:v2.9.7/argoproj/argo-cd/v2 /usr/local/bin/argocd + Manifest file: quay.io/argoproj/argocd:v2.8.13/argoproj/argo-cd/v2 /usr/local/bin/argocd
        • Package Manager: golang @@ -1928,7 +2657,7 @@

          MPL-2.0 license

          • - Manifest file: quay.io/argoproj/argocd:v2.9.7/helm/v3 /usr/local/bin/helm + Manifest file: quay.io/argoproj/argocd:v2.8.13/helm/v3 /usr/local/bin/helm
          • Package Manager: golang @@ -1988,7 +2717,7 @@

            MPL-2.0 license

            • - Manifest file: quay.io/argoproj/argocd:v2.9.7/argoproj/argo-cd/v2 /usr/local/bin/argocd + Manifest file: quay.io/argoproj/argocd:v2.8.13/argoproj/argo-cd/v2 /usr/local/bin/argocd
            • Package Manager: golang @@ -2048,7 +2777,7 @@

              MPL-2.0 license

              • - Manifest file: quay.io/argoproj/argocd:v2.9.7/argoproj/argo-cd/v2 /usr/local/bin/argocd + Manifest file: quay.io/argoproj/argocd:v2.8.13/argoproj/argo-cd/v2 /usr/local/bin/argocd
              • Package Manager: golang @@ -2108,7 +2837,7 @@

                Improper Handling of Highly Compressed Data (Data Amplif
                • - Manifest file: quay.io/argoproj/argocd:v2.9.7/argoproj/argo-cd/v2 /usr/local/bin/argocd + Manifest file: quay.io/argoproj/argocd:v2.8.13/argoproj/argo-cd/v2 /usr/local/bin/argocd
                • Package Manager: golang @@ -2121,7 +2850,7 @@

                  Improper Handling of Highly Compressed Data (Data Amplif
                • Introduced through: - github.com/argoproj/argo-cd/v2@* and github.com/go-jose/go-jose/v3@v3.0.1 + github.com/argoproj/argo-cd/v2@* and github.com/go-jose/go-jose/v3@v3.0.0

                @@ -2136,7 +2865,7 @@

                Detailed paths

                Introduced through: github.com/argoproj/argo-cd/v2@* - github.com/go-jose/go-jose/v3@v3.0.1 + github.com/go-jose/go-jose/v3@v3.0.0 @@ -2166,7 +2895,7 @@

                References

    -

    Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

    +

    Out-of-bounds Write

    @@ -2177,7 +2906,7 @@

    Improper Restriction of Recursive Entity References in D
    • - Manifest file: quay.io/argoproj/argocd:v2.9.7/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.8.13/argoproj/argocd Dockerfile
    • Package Manager: ubuntu:22.04 @@ -2185,13 +2914,13 @@

      Improper Restriction of Recursive Entity References in D
    • Vulnerable module: - expat/libexpat1 + bash
    • Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.13 and bash@5.1-6ubuntu1 - docker-image|quay.io/argoproj/argocd@v2.9.7, git@1:2.34.1-1ubuntu1.10 and others

    @@ -2203,11 +2932,9 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 - git@1:2.34.1-1ubuntu1.10 - - expat/libexpat1@2.4.7-1ubuntu0.2 + bash@5.1-6ubuntu1 @@ -2219,23 +2946,21 @@

      Detailed paths

      NVD Description

      -

      Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. +

      Note: Versions mentioned in the description apply only to the upstream bash package and not the bash package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

      -

      libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.

      +

      A flaw was found in the bash package, where a heap-buffer overflow can occur in valid parameter_transform. This issue may lead to memory problems.

      Remediation

      -

      There is no fixed version for Ubuntu:22.04 expat.

      +

      Upgrade Ubuntu:22.04 bash to version 5.1-6ubuntu1.1 or higher.

      References

      -

      More about this vulnerability

      +

      More about this vulnerability

    @@ -2251,7 +2976,7 @@

    CVE-2023-7008

    • - Manifest file: quay.io/argoproj/argocd:v2.9.7/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.8.13/argoproj/argocd Dockerfile
    • Package Manager: ubuntu:22.04 @@ -2264,7 +2989,7 @@

      CVE-2023-7008

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 and systemd/libsystemd0@249.11-0ubuntu3.12 + docker-image|quay.io/argoproj/argocd@v2.8.13 and systemd/libsystemd0@249.11-0ubuntu3.12
    @@ -2277,7 +3002,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 systemd/libsystemd0@249.11-0ubuntu3.12 @@ -2286,7 +3011,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 apt@2.4.11 @@ -2297,7 +3022,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 procps/libprocps8@2:3.3.17-6ubuntu2.1 @@ -2308,7 +3033,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 util-linux@2.37.2-4ubuntu3 @@ -2319,7 +3044,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 util-linux/bsdutils@1:2.37.2-4ubuntu3 @@ -2330,7 +3055,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 apt@2.4.11 @@ -2343,7 +3068,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 systemd/libudev1@249.11-0ubuntu3.12 @@ -2352,7 +3077,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 libfido2/libfido2-1@1.10.0-1 @@ -2363,7 +3088,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 util-linux@2.37.2-4ubuntu3 @@ -2374,7 +3099,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 apt@2.4.11 @@ -2399,13 +3124,13 @@

      Remediation

      There is no fixed version for Ubuntu:22.04 systemd.

      References

      @@ -2427,7 +3152,7 @@

      Arbitrary Code Injection

      • - Manifest file: quay.io/argoproj/argocd:v2.9.7/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.8.13/argoproj/argocd Dockerfile
      • Package Manager: ubuntu:22.04 @@ -2440,7 +3165,7 @@

        Arbitrary Code Injection

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 and shadow/passwd@1:4.8.1-2ubuntu2.2 + docker-image|quay.io/argoproj/argocd@v2.8.13 and shadow/passwd@1:4.8.1-2ubuntu2.2
      @@ -2453,7 +3178,7 @@

      Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 shadow/passwd@1:4.8.1-2ubuntu2.2 @@ -2462,7 +3187,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 adduser@3.118ubuntu5 @@ -2473,7 +3198,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 openssh/openssh-client@1:8.9p1-3ubuntu0.6 @@ -2484,7 +3209,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 shadow/login@1:4.8.1-2ubuntu2.2 @@ -2505,11 +3230,11 @@

        Remediation

        There is no fixed version for Ubuntu:22.04 shadow.

        References

        @@ -2531,7 +3256,7 @@

        Uncontrolled Recursion

        • - Manifest file: quay.io/argoproj/argocd:v2.9.7/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.8.13/argoproj/argocd Dockerfile
        • Package Manager: ubuntu:22.04 @@ -2544,7 +3269,7 @@

          Uncontrolled Recursion

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 and pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1 + docker-image|quay.io/argoproj/argocd@v2.8.13 and pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1
        @@ -2557,7 +3282,7 @@

        Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1 @@ -2566,7 +3291,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 grep@3.7-1build1 @@ -2619,7 +3344,7 @@

          Release of Invalid Pointer or Reference

          • - Manifest file: quay.io/argoproj/argocd:v2.9.7/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.8.13/argoproj/argocd Dockerfile
          • Package Manager: ubuntu:22.04 @@ -2632,7 +3357,7 @@

            Release of Invalid Pointer or Reference

          • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 and patch@2.7.6-7build2 + docker-image|quay.io/argoproj/argocd@v2.8.13 and patch@2.7.6-7build2
          @@ -2645,7 +3370,7 @@

          Detailed paths

          • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 patch@2.7.6-7build2 @@ -2666,8 +3391,8 @@

            Remediation

            There is no fixed version for Ubuntu:22.04 patch.

            References

            @@ -2689,7 +3414,7 @@

            Double Free

            • - Manifest file: quay.io/argoproj/argocd:v2.9.7/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.8.13/argoproj/argocd Dockerfile
            • Package Manager: ubuntu:22.04 @@ -2702,7 +3427,7 @@

              Double Free

            • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 and patch@2.7.6-7build2 + docker-image|quay.io/argoproj/argocd@v2.8.13 and patch@2.7.6-7build2
            @@ -2715,7 +3440,7 @@

            Detailed paths

            • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 patch@2.7.6-7build2 @@ -2764,7 +3489,7 @@

              CVE-2023-50495

              • - Manifest file: quay.io/argoproj/argocd:v2.9.7/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.8.13/argoproj/argocd Dockerfile
              • Package Manager: ubuntu:22.04 @@ -2777,7 +3502,7 @@

                CVE-2023-50495

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 and ncurses/libtinfo6@6.3-2ubuntu0.1 + docker-image|quay.io/argoproj/argocd@v2.8.13 and ncurses/libtinfo6@6.3-2ubuntu0.1
              @@ -2790,7 +3515,7 @@

              Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 ncurses/libtinfo6@6.3-2ubuntu0.1 @@ -2799,7 +3524,7 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 bash@5.1-6ubuntu1 @@ -2810,7 +3535,7 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 ncurses/libncursesw6@6.3-2ubuntu0.1 @@ -2821,7 +3546,7 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 less@590-1ubuntu0.22.04.2 @@ -2832,7 +3557,7 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 libedit/libedit2@3.1-20210910-1build1 @@ -2843,7 +3568,7 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 ncurses/libncurses6@6.3-2ubuntu0.1 @@ -2854,7 +3579,7 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 ncurses/ncurses-bin@6.3-2ubuntu0.1 @@ -2865,7 +3590,7 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 procps@2:3.3.17-6ubuntu2.1 @@ -2876,7 +3601,7 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 util-linux@2.37.2-4ubuntu3 @@ -2887,7 +3612,7 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 gnupg2/gpg@2.2.27-3ubuntu2.1 @@ -2902,7 +3627,7 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2917,7 +3642,7 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 ncurses/libncursesw6@6.3-2ubuntu0.1 @@ -2926,7 +3651,7 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 procps@2:3.3.17-6ubuntu2.1 @@ -2937,7 +3662,7 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2952,7 +3677,7 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 ncurses/libncurses6@6.3-2ubuntu0.1 @@ -2961,7 +3686,7 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 procps@2:3.3.17-6ubuntu2.1 @@ -2972,7 +3697,7 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 ncurses/ncurses-base@6.3-2ubuntu0.1 @@ -2981,7 +3706,7 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 ncurses/ncurses-bin@6.3-2ubuntu0.1 @@ -3002,11 +3727,11 @@

                Remediation

                There is no fixed version for Ubuntu:22.04 ncurses.

                References

                @@ -3028,7 +3753,7 @@

                CVE-2023-45918

                • - Manifest file: quay.io/argoproj/argocd:v2.9.7/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.8.13/argoproj/argocd Dockerfile
                • Package Manager: ubuntu:22.04 @@ -3041,7 +3766,7 @@

                  CVE-2023-45918

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 and ncurses/libtinfo6@6.3-2ubuntu0.1 + docker-image|quay.io/argoproj/argocd@v2.8.13 and ncurses/libtinfo6@6.3-2ubuntu0.1
                @@ -3054,7 +3779,7 @@

                Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 ncurses/libtinfo6@6.3-2ubuntu0.1 @@ -3063,7 +3788,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 bash@5.1-6ubuntu1 @@ -3074,7 +3799,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 ncurses/libncursesw6@6.3-2ubuntu0.1 @@ -3085,7 +3810,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 less@590-1ubuntu0.22.04.2 @@ -3096,7 +3821,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 libedit/libedit2@3.1-20210910-1build1 @@ -3107,7 +3832,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 ncurses/libncurses6@6.3-2ubuntu0.1 @@ -3118,7 +3843,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 ncurses/ncurses-bin@6.3-2ubuntu0.1 @@ -3129,7 +3854,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 procps@2:3.3.17-6ubuntu2.1 @@ -3140,7 +3865,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 util-linux@2.37.2-4ubuntu3 @@ -3151,7 +3876,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 gnupg2/gpg@2.2.27-3ubuntu2.1 @@ -3166,7 +3891,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3181,7 +3906,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 ncurses/libncursesw6@6.3-2ubuntu0.1 @@ -3190,7 +3915,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 procps@2:3.3.17-6ubuntu2.1 @@ -3201,7 +3926,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3216,7 +3941,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 ncurses/libncurses6@6.3-2ubuntu0.1 @@ -3225,7 +3950,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 procps@2:3.3.17-6ubuntu2.1 @@ -3236,7 +3961,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 ncurses/ncurses-base@6.3-2ubuntu0.1 @@ -3245,7 +3970,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 ncurses/ncurses-bin@6.3-2ubuntu0.1 @@ -3266,8 +3991,9 @@

                  Remediation

                  There is no fixed version for Ubuntu:22.04 ncurses.

                  References

                  @@ -3289,7 +4015,7 @@

                  Resource Exhaustion

                  • - Manifest file: quay.io/argoproj/argocd:v2.9.7/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.8.13/argoproj/argocd Dockerfile
                  • Package Manager: ubuntu:22.04 @@ -3302,7 +4028,7 @@

                    Resource Exhaustion

                  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 and libzstd/libzstd1@1.4.8+dfsg-3build1 + docker-image|quay.io/argoproj/argocd@v2.8.13 and libzstd/libzstd1@1.4.8+dfsg-3build1
                  @@ -3315,7 +4041,7 @@

                  Detailed paths

                  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 libzstd/libzstd1@1.4.8+dfsg-3build1 @@ -3366,7 +4092,7 @@

                    Integer Overflow or Wraparound

                    • - Manifest file: quay.io/argoproj/argocd:v2.9.7/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.8.13/argoproj/argocd Dockerfile
                    • Package Manager: ubuntu:22.04 @@ -3379,7 +4105,7 @@

                      Integer Overflow or Wraparound

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 and krb5/libk5crypto3@1.19.2-2ubuntu0.3 + docker-image|quay.io/argoproj/argocd@v2.8.13 and krb5/libk5crypto3@1.19.2-2ubuntu0.3
                    @@ -3392,7 +4118,7 @@

                    Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -3401,7 +4127,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 adduser@3.118ubuntu5 @@ -3422,7 +4148,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 adduser@3.118ubuntu5 @@ -3445,7 +4171,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 krb5/libkrb5-3@1.19.2-2ubuntu0.3 @@ -3454,7 +4180,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 adduser@3.118ubuntu5 @@ -3475,7 +4201,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3484,7 +4210,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 openssh/openssh-client@1:8.9p1-3ubuntu0.6 @@ -3495,7 +4221,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 git@1:2.34.1-1ubuntu1.10 @@ -3508,7 +4234,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 git@1:2.34.1-1ubuntu1.10 @@ -3523,7 +4249,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 adduser@3.118ubuntu5 @@ -3542,7 +4268,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 krb5/libkrb5support0@1.19.2-2ubuntu0.3 @@ -3563,12 +4289,12 @@

                      Remediation

                      There is no fixed version for Ubuntu:22.04 krb5.

                      References

                      @@ -3590,7 +4316,7 @@

                      Out-of-bounds Write

                      • - Manifest file: quay.io/argoproj/argocd:v2.9.7/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.8.13/argoproj/argocd Dockerfile
                      • Package Manager: ubuntu:22.04 @@ -3603,7 +4329,7 @@

                        Out-of-bounds Write

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 and gnupg2/gpgv@2.2.27-3ubuntu2.1 + docker-image|quay.io/argoproj/argocd@v2.8.13 and gnupg2/gpgv@2.2.27-3ubuntu2.1
                      @@ -3616,7 +4342,7 @@

                      Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 gnupg2/gpgv@2.2.27-3ubuntu2.1 @@ -3625,7 +4351,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 apt@2.4.11 @@ -3636,7 +4362,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3647,7 +4373,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 gnupg2/dirmngr@2.2.27-3ubuntu2.1 @@ -3658,7 +4384,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 gnupg2/gpg@2.2.27-3ubuntu2.1 @@ -3669,7 +4395,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3682,7 +4408,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3695,7 +4421,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 gnupg2/dirmngr@2.2.27-3ubuntu2.1 @@ -3704,7 +4430,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3715,7 +4441,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3728,7 +4454,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 gnupg2/gnupg-l10n@2.2.27-3ubuntu2.1 @@ -3737,7 +4463,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3748,7 +4474,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 gnupg2/gnupg-utils@2.2.27-3ubuntu2.1 @@ -3757,7 +4483,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3768,7 +4494,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 gnupg2/gpg@2.2.27-3ubuntu2.1 @@ -3777,7 +4503,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3788,7 +4514,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3801,7 +4527,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3814,7 +4540,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 gnupg2/gpg-agent@2.2.27-3ubuntu2.1 @@ -3823,7 +4549,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3834,7 +4560,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3847,7 +4573,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3860,7 +4586,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 gnupg2/gpg-wks-client@2.2.27-3ubuntu2.1 @@ -3869,7 +4595,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3880,7 +4606,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 gnupg2/gpg-wks-server@2.2.27-3ubuntu2.1 @@ -3889,7 +4615,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3900,7 +4626,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 gnupg2/gpgsm@2.2.27-3ubuntu2.1 @@ -3909,7 +4635,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3920,7 +4646,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3969,7 +4695,7 @@

                        Allocation of Resources Without Limits or Throttling

                      • - Manifest file: quay.io/argoproj/argocd:v2.9.7/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.8.13/argoproj/argocd Dockerfile
                      • Package Manager: ubuntu:22.04 @@ -3982,7 +4708,7 @@

                        Allocation of Resources Without Limits or Throttling

                        Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 and glibc/libc-bin@2.35-0ubuntu3.6 + docker-image|quay.io/argoproj/argocd@v2.8.13 and glibc/libc-bin@2.35-0ubuntu3.6
                      @@ -3995,7 +4721,7 @@

                      Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 glibc/libc-bin@2.35-0ubuntu3.6 @@ -4004,7 +4730,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 glibc/libc6@2.35-0ubuntu3.6 @@ -4050,7 +4776,7 @@

                        Improper Input Validation

                        • - Manifest file: quay.io/argoproj/argocd:v2.9.7/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.8.13/argoproj/argocd Dockerfile
                        • Package Manager: ubuntu:22.04 @@ -4064,7 +4790,7 @@

                          Improper Input Validation

                        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7, git@1:2.34.1-1ubuntu1.10 and others + docker-image|quay.io/argoproj/argocd@v2.8.13, git@1:2.34.1-1ubuntu1.10 and others
                        @@ -4076,7 +4802,7 @@

                        Detailed paths

                        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 git@1:2.34.1-1ubuntu1.10 @@ -4087,7 +4813,7 @@

                          Detailed paths

                        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 git@1:2.34.1-1ubuntu1.10 @@ -4096,7 +4822,7 @@

                          Detailed paths

                        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 + docker-image|quay.io/argoproj/argocd@v2.8.13 git-lfs@3.0.2-1ubuntu0.2 @@ -4143,7 +4869,7 @@

                          Uncontrolled Recursion

                          • - Manifest file: quay.io/argoproj/argocd:v2.9.7/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.8.13/argoproj/argocd Dockerfile
                          • Package Manager: ubuntu:22.04 @@ -4156,7 +4882,7 @@

                            Uncontrolled Recursion

                          • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 and gcc-12/libstdc++6@12.3.0-1ubuntu1~22.04 + docker-image|quay.io/argoproj/argocd@v2.8.13 and gcc-12/libstdc++6@12.3.0-1ubuntu1~22.04
                          @@ -4169,7 +4895,7 @@

                          Detailed paths

    -
    -

    Out-of-bounds Write

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.9.7/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:22.04 -
      • -
    • - Vulnerable module: - - bash -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v2.9.7 and bash@5.1-6ubuntu1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.7 - - bash@5.1-6ubuntu1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream bash package and not the bash package as distributed by Ubuntu. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    A flaw was found in the bash package, where a heap-buffer overflow can occur in valid parameter_transform. This issue may lead to memory problems.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 bash.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    diff --git a/docs/snyk/v2.8.11/redis_7.0.11-alpine.html b/docs/snyk/v2.8.13/redis_7.0.11-alpine.html similarity index 99% rename from docs/snyk/v2.8.11/redis_7.0.11-alpine.html rename to docs/snyk/v2.8.13/redis_7.0.11-alpine.html index 63149d7b47604..9df9ec7f93123 100644 --- a/docs/snyk/v2.8.11/redis_7.0.11-alpine.html +++ b/docs/snyk/v2.8.13/redis_7.0.11-alpine.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    March 10th 2024, 12:20:56 am (UTC+00:00)

    +

    March 24th 2024, 12:20:22 am (UTC+00:00)

    Scanned the following path: @@ -1686,12 +1686,12 @@

    Remediation

    Upgrade Alpine:3.18 openssl to version 3.1.4-r3 or higher.

    References

    diff --git a/docs/snyk/v2.9.7/argocd-iac-install.html b/docs/snyk/v2.9.9/argocd-iac-install.html similarity index 99% rename from docs/snyk/v2.9.7/argocd-iac-install.html rename to docs/snyk/v2.9.9/argocd-iac-install.html index 67fa78330056f..e25fc886459cb 100644 --- a/docs/snyk/v2.9.7/argocd-iac-install.html +++ b/docs/snyk/v2.9.9/argocd-iac-install.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    March 10th 2024, 12:19:57 am (UTC+00:00)

    +

    March 24th 2024, 12:19:27 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v2.9.7/argocd-iac-namespace-install.html b/docs/snyk/v2.9.9/argocd-iac-namespace-install.html similarity index 99% rename from docs/snyk/v2.9.7/argocd-iac-namespace-install.html rename to docs/snyk/v2.9.9/argocd-iac-namespace-install.html index 13a3271e52299..5fd494538c87c 100644 --- a/docs/snyk/v2.9.7/argocd-iac-namespace-install.html +++ b/docs/snyk/v2.9.9/argocd-iac-namespace-install.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    March 10th 2024, 12:20:05 am (UTC+00:00)

    +

    March 24th 2024, 12:19:35 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v2.9.7/argocd-test.html b/docs/snyk/v2.9.9/argocd-test.html similarity index 99% rename from docs/snyk/v2.9.7/argocd-test.html rename to docs/snyk/v2.9.9/argocd-test.html index 91bd99a84a3c1..c4894f56b168a 100644 --- a/docs/snyk/v2.9.7/argocd-test.html +++ b/docs/snyk/v2.9.9/argocd-test.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    March 10th 2024, 12:17:33 am (UTC+00:00)

    +

    March 24th 2024, 12:17:43 am (UTC+00:00)

    Scanned the following paths: diff --git a/docs/snyk/v2.8.11/ghcr.io_dexidp_dex_v2.37.0.html b/docs/snyk/v2.9.9/ghcr.io_dexidp_dex_v2.37.0.html similarity index 99% rename from docs/snyk/v2.8.11/ghcr.io_dexidp_dex_v2.37.0.html rename to docs/snyk/v2.9.9/ghcr.io_dexidp_dex_v2.37.0.html index ec112c8b0b441..ca1fb70c0e4b2 100644 --- a/docs/snyk/v2.8.11/ghcr.io_dexidp_dex_v2.37.0.html +++ b/docs/snyk/v2.9.9/ghcr.io_dexidp_dex_v2.37.0.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    March 10th 2024, 12:20:28 am (UTC+00:00)

    +

    March 24th 2024, 12:17:49 am (UTC+00:00)

    Scanned the following paths: @@ -1956,12 +1956,12 @@

    Remediation

    Upgrade Alpine:3.18 openssl to version 3.1.4-r3 or higher.

    References

    diff --git a/docs/snyk/v2.8.11/haproxy_2.6.14-alpine.html b/docs/snyk/v2.9.9/haproxy_2.6.14-alpine.html similarity index 98% rename from docs/snyk/v2.8.11/haproxy_2.6.14-alpine.html rename to docs/snyk/v2.9.9/haproxy_2.6.14-alpine.html index 70bbd5dfaa75d..22d46e565dc6f 100644 --- a/docs/snyk/v2.8.11/haproxy_2.6.14-alpine.html +++ b/docs/snyk/v2.9.9/haproxy_2.6.14-alpine.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    March 10th 2024, 12:20:32 am (UTC+00:00)

    +

    March 24th 2024, 12:17:53 am (UTC+00:00)

    Scanned the following path: @@ -1030,12 +1030,12 @@

    Remediation

    Upgrade Alpine:3.18 openssl to version 3.1.4-r3 or higher.

    References

    diff --git a/docs/snyk/v2.8.11/quay.io_argoproj_argocd_v2.8.11.html b/docs/snyk/v2.9.9/quay.io_argoproj_argocd_v2.9.9.html similarity index 85% rename from docs/snyk/v2.8.11/quay.io_argoproj_argocd_v2.8.11.html rename to docs/snyk/v2.9.9/quay.io_argoproj_argocd_v2.9.9.html index fead7d39a22d0..704d480d51ff7 100644 --- a/docs/snyk/v2.8.11/quay.io_argoproj_argocd_v2.8.11.html +++ b/docs/snyk/v2.9.9/quay.io_argoproj_argocd_v2.9.9.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -456,23 +456,23 @@

    Snyk test report

    -

    March 10th 2024, 12:20:51 am (UTC+00:00)

    +

    March 24th 2024, 12:18:09 am (UTC+00:00)

    Scanned the following paths:
      -
    • quay.io/argoproj/argocd:v2.8.11/argoproj/argocd/Dockerfile (deb)
      • -
    • quay.io/argoproj/argocd:v2.8.11/argoproj/argo-cd/v2//usr/local/bin/argocd (gomodules)
      • -
    • quay.io/argoproj/argocd:v2.8.11/kustomize/kustomize/v5//usr/local/bin/kustomize (gomodules)
      • -
    • quay.io/argoproj/argocd:v2.8.11/helm/v3//usr/local/bin/helm (gomodules)
      • -
    • quay.io/argoproj/argocd:v2.8.11/git-lfs/git-lfs//usr/bin/git-lfs (gomodules)
      • +
    • quay.io/argoproj/argocd:v2.9.9/argoproj/argocd/Dockerfile (deb)
      • +
    • quay.io/argoproj/argocd:v2.9.9/argoproj/argo-cd/v2//usr/local/bin/argocd (gomodules)
      • +
    • quay.io/argoproj/argocd:v2.9.9//usr/local/bin/kustomize (gomodules)
      • +
    • quay.io/argoproj/argocd:v2.9.9/helm/v3//usr/local/bin/helm (gomodules)
      • +
    • quay.io/argoproj/argocd:v2.9.9/git-lfs/git-lfs//usr/bin/git-lfs (gomodules)
    -
    37 known vulnerabilities
    -
    159 vulnerable dependency paths
    -
    2120 dependencies
    +
    36 known vulnerabilities
    +
    179 vulnerable dependency paths
    +
    2189 dependencies
    @@ -492,7 +492,7 @@

    Denial of Service (DoS)

    • - Manifest file: quay.io/argoproj/argocd:v2.8.11/helm/v3 /usr/local/bin/helm + Manifest file: quay.io/argoproj/argocd:v2.9.9/argoproj/argo-cd/v2 /usr/local/bin/argocd
    • Package Manager: golang @@ -500,12 +500,12 @@

      Denial of Service (DoS)

    • Vulnerable module: - golang.org/x/net/http2 + google.golang.org/grpc
    • Introduced through: - helm.sh/helm/v3@* and golang.org/x/net/http2@v0.8.0 + github.com/argoproj/argo-cd/v2@* and google.golang.org/grpc@v1.56.2
    @@ -518,9 +518,9 @@

    Detailed paths

    • Introduced through: - helm.sh/helm/v3@* + github.com/argoproj/argo-cd/v2@* - golang.org/x/net/http2@v0.8.0 + google.golang.org/grpc@v1.56.2 @@ -532,10 +532,10 @@

      Detailed paths

      Overview

      -

      golang.org/x/net/http2 is a work-in-progress HTTP/2 implementation for Go.

      +

      google.golang.org/grpc is a Go implementation of gRPC

      Affected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.

      Remediation

      -

      Upgrade golang.org/x/net/http2 to version 0.17.0 or higher.

      +

      Upgrade google.golang.org/grpc to version 1.56.3, 1.57.1, 1.58.3 or higher.

      References

    -
    -

    Denial of Service (DoS)

    +
    +

    CVE-2020-22916

    -
    - high severity +
    + medium severity
    • - Manifest file: quay.io/argoproj/argocd:v2.8.11/argoproj/argo-cd/v2 /usr/local/bin/argocd + Manifest file: quay.io/argoproj/argocd:v2.9.9/argoproj/argocd Dockerfile
    • - Package Manager: golang + Package Manager: ubuntu:22.04
    • Vulnerable module: - github.com/go-jose/go-jose/v3 + xz-utils/liblzma5
    • Introduced through: - github.com/argoproj/argo-cd/v2@* and github.com/go-jose/go-jose/v3@v3.0.0 + docker-image|quay.io/argoproj/argocd@v2.9.9 and xz-utils/liblzma5@5.2.5-2ubuntu1
    @@ -599,9 +599,9 @@

    Detailed paths

    -
    -

    Directory Traversal

    +
    +

    CVE-2023-51767

    -
    - high severity +
    + medium severity
    • - Manifest file: quay.io/argoproj/argocd:v2.8.11/helm/v3 /usr/local/bin/helm + Manifest file: quay.io/argoproj/argocd:v2.9.9/argoproj/argocd Dockerfile
    • - Package Manager: golang + Package Manager: ubuntu:22.04
    • Vulnerable module: - github.com/cyphar/filepath-securejoin + openssh/openssh-client
    • Introduced through: - helm.sh/helm/v3@* and github.com/cyphar/filepath-securejoin@v0.2.3 + docker-image|quay.io/argoproj/argocd@v2.9.9 and openssh/openssh-client@1:8.9p1-3ubuntu0.6
    @@ -679,9 +675,9 @@

    Detailed paths

    • Introduced through: - helm.sh/helm/v3@* + docker-image|quay.io/argoproj/argocd@v2.9.9 - github.com/cyphar/filepath-securejoin@v0.2.3 + openssh/openssh-client@1:8.9p1-3ubuntu0.6 @@ -692,47 +688,33 @@

      Detailed paths

      -

      Overview

      -

      Affected versions of this package are vulnerable to Directory Traversal via the filepath.FromSlash() function, allwoing attackers to generate paths that were outside of the provided rootfs.

      -

      Note: - This vulnerability is only exploitable on Windows OS.

      -

      Details

      -

      A Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with "dot-dot-slash (../)" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.

      -

      Directory Traversal vulnerabilities can be generally divided into two types:

      -
        -
      • Information Disclosure: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.
        • -
      -

      st is a module for serving static files on web pages, and contains a vulnerability of this type. In our example, we will serve files from the public route.

      -

      If an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.

      - 
      curl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa
-
      -

      Note %2e is the URL encoded version of . (dot).

      -
        -
      • Writing arbitrary files: Allows the attacker to create or replace existing files. This type of vulnerability is also known as Zip-Slip.
        • -
      -

      One way to achieve this is by using a malicious zip archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.

      -

      The following is an example of a zip archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in /root/.ssh/ overwriting the authorized_keys file:

      - 
      2018-04-15 22:04:29 .....           19           19  good.txt
-        2018-04-15 22:04:42 .....           20           20  ../../../../../../root/.ssh/authorized_keys
-
      +

      NVD Description

      +

      Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Ubuntu. + See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

      +

      OpenSSH through 9.6, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-location in which the attacker has user privileges.

      Remediation

      -

      Upgrade github.com/cyphar/filepath-securejoin to version 0.2.4 or higher.

      +

      There is no fixed version for Ubuntu:22.04 openssh.

      References

      -

      More about this vulnerability

      +

      More about this vulnerability

    -

    CVE-2020-22916

    +

    Information Exposure

    @@ -743,7 +725,7 @@

    CVE-2020-22916

    • - Manifest file: quay.io/argoproj/argocd:v2.8.11/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.9.9/argoproj/argocd Dockerfile
    • Package Manager: ubuntu:22.04 @@ -751,12 +733,12 @@

      CVE-2020-22916

    • Vulnerable module: - xz-utils/liblzma5 + libgcrypt20
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 and xz-utils/liblzma5@5.2.5-2ubuntu1 + docker-image|quay.io/argoproj/argocd@v2.9.9 and libgcrypt20@1.9.4-3ubuntu3
    @@ -769,85 +751,150 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 - xz-utils/liblzma5@5.2.5-2ubuntu1 + libgcrypt20@1.9.4-3ubuntu3
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream xz-utils package and not the xz-utils package as distributed by Ubuntu. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    An issue discovered in XZ 5.2.5 allows attackers to cause a denial of service via decompression of a crafted file. NOTE: the vendor disputes the claims of "endless output" and "denial of service" because decompression of the 17,486 bytes always results in 114,881,179 bytes, which is often a reasonable size increase.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 xz-utils.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2023-51767

    -
    - -
    - medium severity -
    +
  • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.9 + + gnupg2/dirmngr@2.2.27-3ubuntu2.1 + + libgcrypt20@1.9.4-3ubuntu3 + + -
    +
    • +
  • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.9 + + gnupg2/gpg@2.2.27-3ubuntu2.1 + + libgcrypt20@1.9.4-3ubuntu3 + + -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.8.11/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:22.04 -
      • -
    • - Vulnerable module: +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.9 + + apt@2.4.11 + + apt/libapt-pkg6.0@2.4.11 + + libgcrypt20@1.9.4-3ubuntu3 + + - openssh/openssh-client -
      • + +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.9 + + apt@2.4.11 + + gnupg2/gpgv@2.2.27-3ubuntu2.1 + + libgcrypt20@1.9.4-3ubuntu3 + + -
    • Introduced through: +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.9 + + gnupg2/gpg@2.2.27-3ubuntu2.1 + + gnupg2/gpgconf@2.2.27-3ubuntu2.1 + + libgcrypt20@1.9.4-3ubuntu3 + + - docker-image|quay.io/argoproj/argocd@v2.8.11 and openssh/openssh-client@1:8.9p1-3ubuntu0.6 +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.9 + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gnupg-utils@2.2.27-3ubuntu2.1 + + libgcrypt20@1.9.4-3ubuntu3 + + -
      • -
    +
    • +
  • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.9 + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + + libgcrypt20@1.9.4-3ubuntu3 + + -
    +
    • +
  • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.9 + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gpg-wks-client@2.2.27-3ubuntu2.1 + + libgcrypt20@1.9.4-3ubuntu3 + + +
    • +
  • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.9 + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gpg-wks-server@2.2.27-3ubuntu2.1 + + libgcrypt20@1.9.4-3ubuntu3 + + -

    Detailed paths

    +
    • +
  • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.9 + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gpgsm@2.2.27-3ubuntu2.1 + + libgcrypt20@1.9.4-3ubuntu3 + + -
      +
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 - openssh/openssh-client@1:8.9p1-3ubuntu0.6 + apt@2.4.11 + + apt/libapt-pkg6.0@2.4.11 + + systemd/libsystemd0@249.11-0ubuntu3.12 + + libgcrypt20@1.9.4-3ubuntu3 @@ -859,27 +906,22 @@

      Detailed paths

      NVD Description

      -

      Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Ubuntu. +

      Note: Versions mentioned in the description apply only to the upstream libgcrypt20 package and not the libgcrypt20 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

      -

      OpenSSH through 9.6, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-location in which the attacker has user privileges.

      +

      A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.

      Remediation

      -

      There is no fixed version for Ubuntu:22.04 openssh.

      +

      There is no fixed version for Ubuntu:22.04 libgcrypt20.

      References

      -

      More about this vulnerability

      +

      More about this vulnerability

    • @@ -895,7 +937,7 @@

    CVE-2024-26461

    • - Manifest file: quay.io/argoproj/argocd:v2.8.11/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.9.9/argoproj/argocd Dockerfile
    • Package Manager: ubuntu:22.04 @@ -908,7 +950,7 @@

      CVE-2024-26461

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 and krb5/libk5crypto3@1.19.2-2ubuntu0.3 + docker-image|quay.io/argoproj/argocd@v2.9.9 and krb5/libk5crypto3@1.19.2-2ubuntu0.3
    @@ -921,7 +963,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -930,7 +972,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 adduser@3.118ubuntu5 @@ -951,7 +993,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 adduser@3.118ubuntu5 @@ -974,7 +1016,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 krb5/libkrb5-3@1.19.2-2ubuntu0.3 @@ -983,7 +1025,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 adduser@3.118ubuntu5 @@ -1004,7 +1046,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -1013,7 +1055,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 openssh/openssh-client@1:8.9p1-3ubuntu0.6 @@ -1024,7 +1066,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 git@1:2.34.1-1ubuntu1.10 @@ -1037,7 +1079,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 git@1:2.34.1-1ubuntu1.10 @@ -1052,7 +1094,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 adduser@3.118ubuntu5 @@ -1071,7 +1113,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 krb5/libkrb5support0@1.19.2-2ubuntu0.3 @@ -1092,8 +1134,8 @@

      Remediation

      There is no fixed version for Ubuntu:22.04 krb5.

      References

      @@ -1115,7 +1157,7 @@

      CVE-2024-26462

      • - Manifest file: quay.io/argoproj/argocd:v2.8.11/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.9.9/argoproj/argocd Dockerfile
      • Package Manager: ubuntu:22.04 @@ -1128,7 +1170,7 @@

        CVE-2024-26462

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 and krb5/libk5crypto3@1.19.2-2ubuntu0.3 + docker-image|quay.io/argoproj/argocd@v2.9.9 and krb5/libk5crypto3@1.19.2-2ubuntu0.3
      @@ -1141,7 +1183,7 @@

      Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -1150,7 +1192,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 adduser@3.118ubuntu5 @@ -1171,7 +1213,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 adduser@3.118ubuntu5 @@ -1194,7 +1236,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 krb5/libkrb5-3@1.19.2-2ubuntu0.3 @@ -1203,7 +1245,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 adduser@3.118ubuntu5 @@ -1224,7 +1266,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -1233,7 +1275,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 openssh/openssh-client@1:8.9p1-3ubuntu0.6 @@ -1244,7 +1286,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 git@1:2.34.1-1ubuntu1.10 @@ -1257,7 +1299,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 git@1:2.34.1-1ubuntu1.10 @@ -1272,7 +1314,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 adduser@3.118ubuntu5 @@ -1291,7 +1333,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 krb5/libkrb5support0@1.19.2-2ubuntu0.3 @@ -1312,8 +1354,8 @@

        Remediation

        There is no fixed version for Ubuntu:22.04 krb5.

        References

        @@ -1335,7 +1377,7 @@

        CVE-2024-26458

        • - Manifest file: quay.io/argoproj/argocd:v2.8.11/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.9.9/argoproj/argocd Dockerfile
        • Package Manager: ubuntu:22.04 @@ -1348,7 +1390,7 @@

          CVE-2024-26458

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 and krb5/libk5crypto3@1.19.2-2ubuntu0.3 + docker-image|quay.io/argoproj/argocd@v2.9.9 and krb5/libk5crypto3@1.19.2-2ubuntu0.3
        @@ -1361,7 +1403,7 @@

        Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -1370,7 +1412,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 adduser@3.118ubuntu5 @@ -1391,7 +1433,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 adduser@3.118ubuntu5 @@ -1414,7 +1456,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 krb5/libkrb5-3@1.19.2-2ubuntu0.3 @@ -1423,7 +1465,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 adduser@3.118ubuntu5 @@ -1444,7 +1486,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -1453,7 +1495,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 openssh/openssh-client@1:8.9p1-3ubuntu0.6 @@ -1464,7 +1506,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 git@1:2.34.1-1ubuntu1.10 @@ -1477,7 +1519,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 git@1:2.34.1-1ubuntu1.10 @@ -1492,7 +1534,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 adduser@3.118ubuntu5 @@ -1511,7 +1553,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 krb5/libkrb5support0@1.19.2-2ubuntu0.3 @@ -1532,8 +1574,8 @@

          Remediation

          There is no fixed version for Ubuntu:22.04 krb5.

          References

          @@ -1555,7 +1597,7 @@

          LGPL-3.0 license

          • - Manifest file: quay.io/argoproj/argocd:v2.8.11/argoproj/argo-cd/v2 /usr/local/bin/argocd + Manifest file: quay.io/argoproj/argocd:v2.9.9/argoproj/argo-cd/v2 /usr/local/bin/argocd
          • Package Manager: golang @@ -1615,7 +1657,7 @@

            Infinite loop

            • - Manifest file: quay.io/argoproj/argocd:v2.8.11/argoproj/argo-cd/v2 /usr/local/bin/argocd + Manifest file: quay.io/argoproj/argocd:v2.9.9/argoproj/argo-cd/v2 /usr/local/bin/argocd
            • Package Manager: golang @@ -1686,7 +1728,7 @@

              Stack-based Buffer Overflow

              • - Manifest file: quay.io/argoproj/argocd:v2.8.11/argoproj/argo-cd/v2 /usr/local/bin/argocd + Manifest file: quay.io/argoproj/argocd:v2.9.9/argoproj/argo-cd/v2 /usr/local/bin/argocd
              • Package Manager: golang @@ -1754,7 +1796,7 @@

                Infinite loop

                • - Manifest file: quay.io/argoproj/argocd:v2.8.11/argoproj/argo-cd/v2 /usr/local/bin/argocd + Manifest file: quay.io/argoproj/argocd:v2.9.9/argoproj/argo-cd/v2 /usr/local/bin/argocd
                • Package Manager: golang @@ -1798,23 +1840,116 @@

                  Overview

                  Note:

                  This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

                  Remediation

                  -

                  Upgrade google.golang.org/protobuf/encoding/protojson to version 1.33.0 or higher.

                  +

                  Upgrade google.golang.org/protobuf/encoding/protojson to version 1.33.0 or higher.

                  +

                  References

                  + + +
                  + +
                  +

                  More about this vulnerability

                  +
                  + +
    +
    +

    Authentication Bypass by Capture-replay

    +
    + +
    + medium severity +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v2.9.9/argoproj/argo-cd/v2 /usr/local/bin/argocd +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/crypto/ssh +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v2@* and golang.org/x/crypto/ssh@v0.16.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v2@* + + golang.org/x/crypto/ssh@v0.16.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    golang.org/x/crypto/ssh is a SSH client and server

    +

    Affected versions of this package are vulnerable to Authentication Bypass by Capture-replay during the establishment of the secure channel. An attacker can manipulate handshake sequence numbers to delete messages sent immediately after the channel is established.

    +

    Note:

    +
      +

    1. Sequence numbers are only validated once the channel is established and arbitrary messages are allowed during the handshake, allowing them to manipulate the sequence numbers.

      +
      2. +

    2. The potential consequences of the general Terrapin attack are dependent on the messages exchanged after the handshake concludes. If you are using a custom SSH service and do not resort to the authentication protocol, you should check that dropping the first few messages of a connection does not yield security risks.

      +
      3. +
    +

    Impact:

    +

    While cryptographically novel, there is no discernable impact on the integrity of SSH traffic beyond giving the attacker the ability to delete the message that enables some features related to keystroke timing obfuscation. To successfully carry out the exploitation, the connection needs to be protected using either the ChaCha20-Poly1305 or CBC with Encrypt-then-MAC encryption methods. The attacker must also be able to intercept and modify the connection's traffic.

    +

    Workaround

    +

    Temporarily disable the affected chacha20-poly1305@openssh.com encryption and *-etm@openssh.com MAC algorithms in the affected configuration, and use unaffected algorithms like AES-GCM instead.

    +

    Remediation

    +

    Upgrade golang.org/x/crypto/ssh to version 0.17.0 or higher.

    References

    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    Allocation of Resources Without Limits or Throttling

    +

    Information Exposure

    @@ -1825,20 +1960,20 @@

    Allocation of Resources Without Limits or Throttling

  • - Manifest file: quay.io/argoproj/argocd:v2.8.11/helm/v3 /usr/local/bin/helm + Manifest file: quay.io/argoproj/argocd:v2.9.9/argoproj/argocd Dockerfile
  • - Package Manager: golang + Package Manager: ubuntu:22.04
  • Vulnerable module: - golang.org/x/net/http2 + gnutls28/libgnutls30
  • Introduced through: - helm.sh/helm/v3@* and golang.org/x/net/http2@v0.8.0 + docker-image|quay.io/argoproj/argocd@v2.9.9 and gnutls28/libgnutls30@3.7.3-4ubuntu1.4
    • @@ -1851,9 +1986,74 @@

    Detailed paths

    • Introduced through: - helm.sh/helm/v3@* + docker-image|quay.io/argoproj/argocd@v2.9.9 + + gnutls28/libgnutls30@3.7.3-4ubuntu1.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.9 + + apt@2.4.11 + + gnutls28/libgnutls30@3.7.3-4ubuntu1.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.9 + + gnupg2/dirmngr@2.2.27-3ubuntu2.1 + + gnutls28/libgnutls30@3.7.3-4ubuntu1.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.9 + + git@1:2.34.1-1ubuntu1.10 + + curl/libcurl3-gnutls@7.81.0-1ubuntu1.15 + + gnutls28/libgnutls30@3.7.3-4ubuntu1.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.9 + + git@1:2.34.1-1ubuntu1.10 + + curl/libcurl3-gnutls@7.81.0-1ubuntu1.15 + + openldap/libldap-2.5-0@2.5.17+dfsg-0ubuntu0.22.04.1 + + gnutls28/libgnutls30@3.7.3-4ubuntu1.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.9 - golang.org/x/net/http2@v0.8.0 + git@1:2.34.1-1ubuntu1.10 + + curl/libcurl3-gnutls@7.81.0-1ubuntu1.15 + + rtmpdump/librtmp1@2.4+20151223.gitfa8646d.1-2build4 + + gnutls28/libgnutls30@3.7.3-4ubuntu1.4 @@ -1864,29 +2064,30 @@

      Detailed paths

      -

      Overview

      -

      golang.org/x/net/http2 is a work-in-progress HTTP/2 implementation for Go.

      -

      Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when MaxConcurrentStreams handler goroutines running. A a handler is started until one of the existing handlers exits.

      -

      Note:

      -

      This issue is related to CVE-2023-44487

      +

      NVD Description

      +

      Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Ubuntu. + See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

      +

      A flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in nonce size from 513 to 512 bits, exposing a potential timing side-channel.

      Remediation

      -

      Upgrade golang.org/x/net/http2 to version 0.17.0 or higher.

      +

      There is no fixed version for Ubuntu:22.04 gnutls28.

      References

      -

      More about this vulnerability

      +

      More about this vulnerability

    -

    Authentication Bypass by Capture-replay

    +

    Uncaught Exception

    @@ -1897,20 +2098,20 @@

    Authentication Bypass by Capture-replay

    • - Manifest file: quay.io/argoproj/argocd:v2.8.11/argoproj/argo-cd/v2 /usr/local/bin/argocd + Manifest file: quay.io/argoproj/argocd:v2.9.9/argoproj/argocd Dockerfile
    • - Package Manager: golang + Package Manager: ubuntu:22.04
    • Vulnerable module: - golang.org/x/crypto/ssh + gnutls28/libgnutls30
    • Introduced through: - github.com/argoproj/argo-cd/v2@* and golang.org/x/crypto/ssh@v0.16.0 + docker-image|quay.io/argoproj/argocd@v2.9.9 and gnutls28/libgnutls30@3.7.3-4ubuntu1.4
    @@ -1923,9 +2124,74 @@

    Detailed paths

    • Introduced through: - github.com/argoproj/argo-cd/v2@* + docker-image|quay.io/argoproj/argocd@v2.9.9 - golang.org/x/crypto/ssh@v0.16.0 + gnutls28/libgnutls30@3.7.3-4ubuntu1.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.9 + + apt@2.4.11 + + gnutls28/libgnutls30@3.7.3-4ubuntu1.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.9 + + gnupg2/dirmngr@2.2.27-3ubuntu2.1 + + gnutls28/libgnutls30@3.7.3-4ubuntu1.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.9 + + git@1:2.34.1-1ubuntu1.10 + + curl/libcurl3-gnutls@7.81.0-1ubuntu1.15 + + gnutls28/libgnutls30@3.7.3-4ubuntu1.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.9 + + git@1:2.34.1-1ubuntu1.10 + + curl/libcurl3-gnutls@7.81.0-1ubuntu1.15 + + openldap/libldap-2.5-0@2.5.17+dfsg-0ubuntu0.22.04.1 + + gnutls28/libgnutls30@3.7.3-4ubuntu1.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.9 + + git@1:2.34.1-1ubuntu1.10 + + curl/libcurl3-gnutls@7.81.0-1ubuntu1.15 + + rtmpdump/librtmp1@2.4+20151223.gitfa8646d.1-2build4 + + gnutls28/libgnutls30@3.7.3-4ubuntu1.4 @@ -1936,45 +2202,24 @@

      Detailed paths

      -

      Overview

      -

      golang.org/x/crypto/ssh is a SSH client and server

      -

      Affected versions of this package are vulnerable to Authentication Bypass by Capture-replay during the establishment of the secure channel. An attacker can manipulate handshake sequence numbers to delete messages sent immediately after the channel is established.

      -

      Note:

      -
        -

      1. Sequence numbers are only validated once the channel is established and arbitrary messages are allowed during the handshake, allowing them to manipulate the sequence numbers.

        -
        2. -

      2. The potential consequences of the general Terrapin attack are dependent on the messages exchanged after the handshake concludes. If you are using a custom SSH service and do not resort to the authentication protocol, you should check that dropping the first few messages of a connection does not yield security risks.

        -
        3. -
      -

      Impact:

      -

      While cryptographically novel, there is no discernable impact on the integrity of SSH traffic beyond giving the attacker the ability to delete the message that enables some features related to keystroke timing obfuscation. To successfully carry out the exploitation, the connection needs to be protected using either the ChaCha20-Poly1305 or CBC with Encrypt-then-MAC encryption methods. The attacker must also be able to intercept and modify the connection's traffic.

      -

      Workaround

      -

      Temporarily disable the affected chacha20-poly1305@openssh.com encryption and *-etm@openssh.com MAC algorithms in the affected configuration, and use unaffected algorithms like AES-GCM instead.

      +

      NVD Description

      +

      Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Ubuntu. + See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

      +

      A flaw has been discovered in GnuTLS where an application crash can be induced when attempting to verify a specially crafted .pem bundle using the "certtool --verify-chain" command.

      Remediation

      -

      Upgrade golang.org/x/crypto/ssh to version 0.17.0 or higher.

      +

      There is no fixed version for Ubuntu:22.04 gnutls28.

      References

      -

      More about this vulnerability

      +

      More about this vulnerability

    @@ -1990,7 +2235,7 @@

    MPL-2.0 license

    • - Manifest file: quay.io/argoproj/argocd:v2.8.11/argoproj/argo-cd/v2 /usr/local/bin/argocd + Manifest file: quay.io/argoproj/argocd:v2.9.9/argoproj/argo-cd/v2 /usr/local/bin/argocd
    • Package Manager: golang @@ -2050,7 +2295,7 @@

      MPL-2.0 license

      • - Manifest file: quay.io/argoproj/argocd:v2.8.11/argoproj/argo-cd/v2 /usr/local/bin/argocd + Manifest file: quay.io/argoproj/argocd:v2.9.9/argoproj/argo-cd/v2 /usr/local/bin/argocd
      • Package Manager: golang @@ -2110,7 +2355,7 @@

        MPL-2.0 license

        • - Manifest file: quay.io/argoproj/argocd:v2.8.11/argoproj/argo-cd/v2 /usr/local/bin/argocd + Manifest file: quay.io/argoproj/argocd:v2.9.9/argoproj/argo-cd/v2 /usr/local/bin/argocd
        • Package Manager: golang @@ -2170,7 +2415,7 @@

          MPL-2.0 license

          • - Manifest file: quay.io/argoproj/argocd:v2.8.11/helm/v3 /usr/local/bin/helm + Manifest file: quay.io/argoproj/argocd:v2.9.9/helm/v3 /usr/local/bin/helm
          • Package Manager: golang @@ -2230,7 +2475,7 @@

            MPL-2.0 license

            • - Manifest file: quay.io/argoproj/argocd:v2.8.11/argoproj/argo-cd/v2 /usr/local/bin/argocd + Manifest file: quay.io/argoproj/argocd:v2.9.9/argoproj/argo-cd/v2 /usr/local/bin/argocd
            • Package Manager: golang @@ -2290,7 +2535,7 @@

              MPL-2.0 license

              • - Manifest file: quay.io/argoproj/argocd:v2.8.11/argoproj/argo-cd/v2 /usr/local/bin/argocd + Manifest file: quay.io/argoproj/argocd:v2.9.9/argoproj/argo-cd/v2 /usr/local/bin/argocd
              • Package Manager: golang @@ -2350,7 +2595,7 @@

                Improper Handling of Highly Compressed Data (Data Amplif
                • - Manifest file: quay.io/argoproj/argocd:v2.8.11/argoproj/argo-cd/v2 /usr/local/bin/argocd + Manifest file: quay.io/argoproj/argocd:v2.9.9/argoproj/argo-cd/v2 /usr/local/bin/argocd
                • Package Manager: golang @@ -2363,7 +2608,7 @@

                  Improper Handling of Highly Compressed Data (Data Amplif
                • Introduced through: - github.com/argoproj/argo-cd/v2@* and github.com/go-jose/go-jose/v3@v3.0.0 + github.com/argoproj/argo-cd/v2@* and github.com/go-jose/go-jose/v3@v3.0.1

                @@ -2378,7 +2623,7 @@

                Detailed paths

                Introduced through: github.com/argoproj/argo-cd/v2@* - github.com/go-jose/go-jose/v3@v3.0.0 + github.com/go-jose/go-jose/v3@v3.0.1 @@ -2408,7 +2653,7 @@

                References

    -

    Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

    +

    Out-of-bounds Write

    @@ -2419,7 +2664,7 @@

    Improper Restriction of Recursive Entity References in D
    • - Manifest file: quay.io/argoproj/argocd:v2.8.11/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.9.9/argoproj/argocd Dockerfile
    • Package Manager: ubuntu:22.04 @@ -2427,13 +2672,13 @@

      Improper Restriction of Recursive Entity References in D
    • Vulnerable module: - expat/libexpat1 + bash
    • Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.9 and bash@5.1-6ubuntu1 - docker-image|quay.io/argoproj/argocd@v2.8.11, git@1:2.34.1-1ubuntu1.10 and others

    @@ -2445,11 +2690,9 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 - git@1:2.34.1-1ubuntu1.10 - - expat/libexpat1@2.4.7-1ubuntu0.2 + bash@5.1-6ubuntu1 @@ -2461,23 +2704,21 @@

      Detailed paths

      NVD Description

      -

      Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. +

      Note: Versions mentioned in the description apply only to the upstream bash package and not the bash package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

      -

      libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.

      +

      A flaw was found in the bash package, where a heap-buffer overflow can occur in valid parameter_transform. This issue may lead to memory problems.

      Remediation

      -

      There is no fixed version for Ubuntu:22.04 expat.

      +

      Upgrade Ubuntu:22.04 bash to version 5.1-6ubuntu1.1 or higher.

      References

      -

      More about this vulnerability

      +

      More about this vulnerability

    @@ -2493,7 +2734,7 @@

    CVE-2023-7008

    • - Manifest file: quay.io/argoproj/argocd:v2.8.11/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.9.9/argoproj/argocd Dockerfile
    • Package Manager: ubuntu:22.04 @@ -2506,7 +2747,7 @@

      CVE-2023-7008

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 and systemd/libsystemd0@249.11-0ubuntu3.12 + docker-image|quay.io/argoproj/argocd@v2.9.9 and systemd/libsystemd0@249.11-0ubuntu3.12
    @@ -2519,7 +2760,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 systemd/libsystemd0@249.11-0ubuntu3.12 @@ -2528,7 +2769,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 apt@2.4.11 @@ -2539,7 +2780,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 procps/libprocps8@2:3.3.17-6ubuntu2.1 @@ -2550,7 +2791,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 util-linux@2.37.2-4ubuntu3 @@ -2561,7 +2802,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 util-linux/bsdutils@1:2.37.2-4ubuntu3 @@ -2572,7 +2813,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 apt@2.4.11 @@ -2585,7 +2826,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 systemd/libudev1@249.11-0ubuntu3.12 @@ -2594,7 +2835,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 libfido2/libfido2-1@1.10.0-1 @@ -2605,7 +2846,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 util-linux@2.37.2-4ubuntu3 @@ -2616,7 +2857,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 apt@2.4.11 @@ -2641,13 +2882,13 @@

      Remediation

      There is no fixed version for Ubuntu:22.04 systemd.

      References

      @@ -2669,7 +2910,7 @@

      Arbitrary Code Injection

      • - Manifest file: quay.io/argoproj/argocd:v2.8.11/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.9.9/argoproj/argocd Dockerfile
      • Package Manager: ubuntu:22.04 @@ -2682,7 +2923,7 @@

        Arbitrary Code Injection

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 and shadow/passwd@1:4.8.1-2ubuntu2.2 + docker-image|quay.io/argoproj/argocd@v2.9.9 and shadow/passwd@1:4.8.1-2ubuntu2.2
      @@ -2695,7 +2936,7 @@

      Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 shadow/passwd@1:4.8.1-2ubuntu2.2 @@ -2704,7 +2945,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 adduser@3.118ubuntu5 @@ -2715,7 +2956,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 openssh/openssh-client@1:8.9p1-3ubuntu0.6 @@ -2726,7 +2967,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 shadow/login@1:4.8.1-2ubuntu2.2 @@ -2747,11 +2988,11 @@

        Remediation

        There is no fixed version for Ubuntu:22.04 shadow.

        References

        @@ -2773,7 +3014,7 @@

        Uncontrolled Recursion

        • - Manifest file: quay.io/argoproj/argocd:v2.8.11/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.9.9/argoproj/argocd Dockerfile
        • Package Manager: ubuntu:22.04 @@ -2786,7 +3027,7 @@

          Uncontrolled Recursion

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 and pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1 + docker-image|quay.io/argoproj/argocd@v2.9.9 and pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1
        @@ -2799,7 +3040,7 @@

        Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1 @@ -2808,7 +3049,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 grep@3.7-1build1 @@ -2861,7 +3102,7 @@

          Release of Invalid Pointer or Reference

          • - Manifest file: quay.io/argoproj/argocd:v2.8.11/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.9.9/argoproj/argocd Dockerfile
          • Package Manager: ubuntu:22.04 @@ -2874,7 +3115,7 @@

            Release of Invalid Pointer or Reference

          • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 and patch@2.7.6-7build2 + docker-image|quay.io/argoproj/argocd@v2.9.9 and patch@2.7.6-7build2
          @@ -2887,7 +3128,7 @@

          Detailed paths

          • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 patch@2.7.6-7build2 @@ -2908,8 +3149,8 @@

            Remediation

            There is no fixed version for Ubuntu:22.04 patch.

            References

            @@ -2931,7 +3172,7 @@

            Double Free

            • - Manifest file: quay.io/argoproj/argocd:v2.8.11/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.9.9/argoproj/argocd Dockerfile
            • Package Manager: ubuntu:22.04 @@ -2944,7 +3185,7 @@

              Double Free

            • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 and patch@2.7.6-7build2 + docker-image|quay.io/argoproj/argocd@v2.9.9 and patch@2.7.6-7build2
            @@ -2957,7 +3198,7 @@

            Detailed paths

            • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 patch@2.7.6-7build2 @@ -3006,7 +3247,7 @@

              CVE-2023-50495

              • - Manifest file: quay.io/argoproj/argocd:v2.8.11/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.9.9/argoproj/argocd Dockerfile
              • Package Manager: ubuntu:22.04 @@ -3019,7 +3260,7 @@

                CVE-2023-50495

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 and ncurses/libtinfo6@6.3-2ubuntu0.1 + docker-image|quay.io/argoproj/argocd@v2.9.9 and ncurses/libtinfo6@6.3-2ubuntu0.1
              @@ -3032,7 +3273,7 @@

              Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 ncurses/libtinfo6@6.3-2ubuntu0.1 @@ -3041,7 +3282,7 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 bash@5.1-6ubuntu1 @@ -3052,7 +3293,7 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 ncurses/libncursesw6@6.3-2ubuntu0.1 @@ -3063,7 +3304,7 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 less@590-1ubuntu0.22.04.2 @@ -3074,7 +3315,7 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 libedit/libedit2@3.1-20210910-1build1 @@ -3085,7 +3326,7 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 ncurses/libncurses6@6.3-2ubuntu0.1 @@ -3096,7 +3337,7 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 ncurses/ncurses-bin@6.3-2ubuntu0.1 @@ -3107,7 +3348,7 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 procps@2:3.3.17-6ubuntu2.1 @@ -3118,7 +3359,7 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 util-linux@2.37.2-4ubuntu3 @@ -3129,7 +3370,7 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 gnupg2/gpg@2.2.27-3ubuntu2.1 @@ -3144,7 +3385,7 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3159,7 +3400,7 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 ncurses/libncursesw6@6.3-2ubuntu0.1 @@ -3168,7 +3409,7 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 procps@2:3.3.17-6ubuntu2.1 @@ -3179,7 +3420,7 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3194,7 +3435,7 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 ncurses/libncurses6@6.3-2ubuntu0.1 @@ -3203,7 +3444,7 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 procps@2:3.3.17-6ubuntu2.1 @@ -3214,7 +3455,7 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 ncurses/ncurses-base@6.3-2ubuntu0.1 @@ -3223,7 +3464,7 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 ncurses/ncurses-bin@6.3-2ubuntu0.1 @@ -3244,11 +3485,11 @@

                Remediation

                There is no fixed version for Ubuntu:22.04 ncurses.

                References

                @@ -3270,7 +3511,7 @@

                CVE-2023-45918

                • - Manifest file: quay.io/argoproj/argocd:v2.8.11/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.9.9/argoproj/argocd Dockerfile
                • Package Manager: ubuntu:22.04 @@ -3283,7 +3524,7 @@

                  CVE-2023-45918

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 and ncurses/libtinfo6@6.3-2ubuntu0.1 + docker-image|quay.io/argoproj/argocd@v2.9.9 and ncurses/libtinfo6@6.3-2ubuntu0.1
                @@ -3296,7 +3537,7 @@

                Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 ncurses/libtinfo6@6.3-2ubuntu0.1 @@ -3305,7 +3546,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 bash@5.1-6ubuntu1 @@ -3316,7 +3557,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 ncurses/libncursesw6@6.3-2ubuntu0.1 @@ -3327,7 +3568,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 less@590-1ubuntu0.22.04.2 @@ -3338,7 +3579,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 libedit/libedit2@3.1-20210910-1build1 @@ -3349,7 +3590,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 ncurses/libncurses6@6.3-2ubuntu0.1 @@ -3360,7 +3601,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 ncurses/ncurses-bin@6.3-2ubuntu0.1 @@ -3371,7 +3612,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 procps@2:3.3.17-6ubuntu2.1 @@ -3382,7 +3623,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 util-linux@2.37.2-4ubuntu3 @@ -3393,7 +3634,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 gnupg2/gpg@2.2.27-3ubuntu2.1 @@ -3408,7 +3649,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3423,7 +3664,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 ncurses/libncursesw6@6.3-2ubuntu0.1 @@ -3432,7 +3673,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 procps@2:3.3.17-6ubuntu2.1 @@ -3443,7 +3684,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3458,7 +3699,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 ncurses/libncurses6@6.3-2ubuntu0.1 @@ -3467,7 +3708,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 procps@2:3.3.17-6ubuntu2.1 @@ -3478,7 +3719,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 ncurses/ncurses-base@6.3-2ubuntu0.1 @@ -3487,7 +3728,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 ncurses/ncurses-bin@6.3-2ubuntu0.1 @@ -3508,8 +3749,9 @@

                  Remediation

                  There is no fixed version for Ubuntu:22.04 ncurses.

                  References

                  @@ -3531,7 +3773,7 @@

                  Resource Exhaustion

                  • - Manifest file: quay.io/argoproj/argocd:v2.8.11/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.9.9/argoproj/argocd Dockerfile
                  • Package Manager: ubuntu:22.04 @@ -3544,7 +3786,7 @@

                    Resource Exhaustion

                  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 and libzstd/libzstd1@1.4.8+dfsg-3build1 + docker-image|quay.io/argoproj/argocd@v2.9.9 and libzstd/libzstd1@1.4.8+dfsg-3build1
                  @@ -3557,7 +3799,7 @@

                  Detailed paths

                  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 libzstd/libzstd1@1.4.8+dfsg-3build1 @@ -3608,7 +3850,7 @@

                    Integer Overflow or Wraparound

                    • - Manifest file: quay.io/argoproj/argocd:v2.8.11/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.9.9/argoproj/argocd Dockerfile
                    • Package Manager: ubuntu:22.04 @@ -3621,7 +3863,7 @@

                      Integer Overflow or Wraparound

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 and krb5/libk5crypto3@1.19.2-2ubuntu0.3 + docker-image|quay.io/argoproj/argocd@v2.9.9 and krb5/libk5crypto3@1.19.2-2ubuntu0.3
                    @@ -3634,7 +3876,7 @@

                    Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -3643,7 +3885,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 adduser@3.118ubuntu5 @@ -3664,7 +3906,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 adduser@3.118ubuntu5 @@ -3687,7 +3929,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 krb5/libkrb5-3@1.19.2-2ubuntu0.3 @@ -3696,7 +3938,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 adduser@3.118ubuntu5 @@ -3717,7 +3959,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3726,7 +3968,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 openssh/openssh-client@1:8.9p1-3ubuntu0.6 @@ -3737,7 +3979,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 git@1:2.34.1-1ubuntu1.10 @@ -3750,7 +3992,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 git@1:2.34.1-1ubuntu1.10 @@ -3765,7 +4007,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 adduser@3.118ubuntu5 @@ -3784,7 +4026,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 krb5/libkrb5support0@1.19.2-2ubuntu0.3 @@ -3805,12 +4047,12 @@

                      Remediation

                      There is no fixed version for Ubuntu:22.04 krb5.

                      References

                      @@ -3832,7 +4074,7 @@

                      Out-of-bounds Write

                      • - Manifest file: quay.io/argoproj/argocd:v2.8.11/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.9.9/argoproj/argocd Dockerfile
                      • Package Manager: ubuntu:22.04 @@ -3845,7 +4087,7 @@

                        Out-of-bounds Write

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 and gnupg2/gpgv@2.2.27-3ubuntu2.1 + docker-image|quay.io/argoproj/argocd@v2.9.9 and gnupg2/gpgv@2.2.27-3ubuntu2.1
                      @@ -3858,7 +4100,7 @@

                      Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 gnupg2/gpgv@2.2.27-3ubuntu2.1 @@ -3867,7 +4109,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 apt@2.4.11 @@ -3878,7 +4120,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3889,7 +4131,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 gnupg2/dirmngr@2.2.27-3ubuntu2.1 @@ -3900,7 +4142,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 gnupg2/gpg@2.2.27-3ubuntu2.1 @@ -3911,7 +4153,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3924,7 +4166,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3937,7 +4179,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 gnupg2/dirmngr@2.2.27-3ubuntu2.1 @@ -3946,7 +4188,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3957,7 +4199,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3970,7 +4212,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 gnupg2/gnupg-l10n@2.2.27-3ubuntu2.1 @@ -3979,7 +4221,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3990,7 +4232,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 gnupg2/gnupg-utils@2.2.27-3ubuntu2.1 @@ -3999,7 +4241,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -4010,7 +4252,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 gnupg2/gpg@2.2.27-3ubuntu2.1 @@ -4019,7 +4261,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -4030,7 +4272,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -4043,7 +4285,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -4056,7 +4298,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 gnupg2/gpg-agent@2.2.27-3ubuntu2.1 @@ -4065,7 +4307,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -4076,7 +4318,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -4089,7 +4331,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -4102,7 +4344,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 gnupg2/gpg-wks-client@2.2.27-3ubuntu2.1 @@ -4111,7 +4353,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -4122,7 +4364,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 gnupg2/gpg-wks-server@2.2.27-3ubuntu2.1 @@ -4131,7 +4373,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -4142,7 +4384,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 gnupg2/gpgsm@2.2.27-3ubuntu2.1 @@ -4151,7 +4393,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -4162,7 +4404,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -4211,7 +4453,7 @@

                        Allocation of Resources Without Limits or Throttling

                      • - Manifest file: quay.io/argoproj/argocd:v2.8.11/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.9.9/argoproj/argocd Dockerfile
                      • Package Manager: ubuntu:22.04 @@ -4224,7 +4466,7 @@

                        Allocation of Resources Without Limits or Throttling

                        Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 and glibc/libc-bin@2.35-0ubuntu3.6 + docker-image|quay.io/argoproj/argocd@v2.9.9 and glibc/libc-bin@2.35-0ubuntu3.6
                      @@ -4237,7 +4479,7 @@

                      Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 glibc/libc-bin@2.35-0ubuntu3.6 @@ -4246,7 +4488,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 glibc/libc6@2.35-0ubuntu3.6 @@ -4292,7 +4534,7 @@

                        Improper Input Validation

                        • - Manifest file: quay.io/argoproj/argocd:v2.8.11/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.9.9/argoproj/argocd Dockerfile
                        • Package Manager: ubuntu:22.04 @@ -4306,7 +4548,7 @@

                          Improper Input Validation

                        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11, git@1:2.34.1-1ubuntu1.10 and others + docker-image|quay.io/argoproj/argocd@v2.9.9, git@1:2.34.1-1ubuntu1.10 and others
                        @@ -4318,7 +4560,7 @@

                        Detailed paths

                        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 git@1:2.34.1-1ubuntu1.10 @@ -4329,7 +4571,7 @@

                          Detailed paths

                        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 git@1:2.34.1-1ubuntu1.10 @@ -4338,7 +4580,7 @@

                          Detailed paths

                        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 + docker-image|quay.io/argoproj/argocd@v2.9.9 git-lfs@3.0.2-1ubuntu0.2 @@ -4385,7 +4627,7 @@

                          Uncontrolled Recursion

                          • - Manifest file: quay.io/argoproj/argocd:v2.8.11/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.9.9/argoproj/argocd Dockerfile
                          • Package Manager: ubuntu:22.04 @@ -4398,7 +4640,7 @@

                            Uncontrolled Recursion

                          • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 and gcc-12/libstdc++6@12.3.0-1ubuntu1~22.04 + docker-image|quay.io/argoproj/argocd@v2.9.9 and gcc-12/libstdc++6@12.3.0-1ubuntu1~22.04
                          @@ -4411,7 +4653,7 @@

                          Detailed paths

    -
    -

    Out-of-bounds Write

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.8.11/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:22.04 -
      • -
    • - Vulnerable module: - - bash -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v2.8.11 and bash@5.1-6ubuntu1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.11 - - bash@5.1-6ubuntu1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream bash package and not the bash package as distributed by Ubuntu. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    A flaw was found in the bash package, where a heap-buffer overflow can occur in valid parameter_transform. This issue may lead to memory problems.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 bash.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    diff --git a/docs/snyk/v2.9.7/redis_7.0.11-alpine.html b/docs/snyk/v2.9.9/redis_7.0.11-alpine.html similarity index 99% rename from docs/snyk/v2.9.7/redis_7.0.11-alpine.html rename to docs/snyk/v2.9.9/redis_7.0.11-alpine.html index 4374c91670ff0..55538b9b23982 100644 --- a/docs/snyk/v2.9.7/redis_7.0.11-alpine.html +++ b/docs/snyk/v2.9.9/redis_7.0.11-alpine.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    March 10th 2024, 12:18:43 am (UTC+00:00)

    +

    March 24th 2024, 12:18:14 am (UTC+00:00)

    Scanned the following path: @@ -1686,12 +1686,12 @@

    Remediation

    Upgrade Alpine:3.18 openssl to version 3.1.4-r3 or higher.

    References

    From 31aa4d9af925729605d3bdf47cd1c10c471c53c9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 27 Mar 2024 15:56:27 -0400 Subject: [PATCH 05/14] chore(deps): bump follow-redirects from 1.15.5 to 1.15.6 in /ui-test (#17541) Bumps [follow-redirects](https://github.com/follow-redirects/follow-redirects) from 1.15.5 to 1.15.6. - [Release notes](https://github.com/follow-redirects/follow-redirects/releases) - [Commits](https://github.com/follow-redirects/follow-redirects/compare/v1.15.5...v1.15.6) --- updated-dependencies: - dependency-name: follow-redirects dependency-type: indirect ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ui-test/yarn.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ui-test/yarn.lock b/ui-test/yarn.lock index 6765cbf79d61b..9d7f089c6f4d9 100644 --- a/ui-test/yarn.lock +++ b/ui-test/yarn.lock @@ -540,9 +540,9 @@ flat@^5.0.2: integrity sha512-b6suED+5/3rTpUBdG1gupIl8MPFCAMA0QXwmljLhvCUKcUvdE4gWky9zpuGCcXHOsz4J9wPGNWq6OKpmIzz3hQ== follow-redirects@^1.14.0: - version "1.15.5" - resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.15.5.tgz#54d4d6d062c0fa7d9d17feb008461550e3ba8020" - integrity sha512-vSFWUON1B+yAw1VN4xMfxgn5fTUiaOzAJCKBwIIgT/+7CuGy9+r+5gITvP62j3RmaD5Ph65UaERdOSRGUzZtgw== + version "1.15.6" + resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.15.6.tgz#7f815c0cda4249c74ff09e95ef97c23b5fd0399b" + integrity sha512-wWN62YITEaOpSK584EZXJafH1AGpO8RVgElfkuXbTOrPX4fIfOyEpW/CsiNd8JdYrAoOvafRTOEnvsO++qCqFA== foreach@^2.0.5: version "2.0.5" From 4b80393108ff0c8ddb8dbb93668e625257f6acd8 Mon Sep 17 00:00:00 2001 From: olivier beyler Date: Thu, 28 Mar 2024 05:41:21 +0100 Subject: [PATCH 06/14] Update USERS.md (#17651) Add arturia as users Signed-off-by: olivier beyler --- USERS.md | 1 + 1 file changed, 1 insertion(+) diff --git a/USERS.md b/USERS.md index 0932dcebaa898..09f25ea5bf006 100644 --- a/USERS.md +++ b/USERS.md @@ -25,6 +25,7 @@ Currently, the following organizations are **officially** using Argo CD: 1. [Ant Group](https://www.antgroup.com/) 1. [AppDirect](https://www.appdirect.com) 1. [Arctiq Inc.](https://www.arctiq.ca) +2. [Arturia](https://www.arturia.com) 1. [ARZ Allgemeines Rechenzentrum GmbH](https://www.arz.at/) 1. [Autodesk](https://www.autodesk.com) 1. [Axians ACSP](https://www.axians.fr) From 53b08426bc63d1d02c66adda51d494212cc9b519 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 28 Mar 2024 13:13:55 +0200 Subject: [PATCH 07/14] chore(deps): bump express from 4.17.3 to 4.19.2 in /ui (#17648) Bumps [express](https://github.com/expressjs/express) from 4.17.3 to 4.19.2. - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/master/History.md) - [Commits](https://github.com/expressjs/express/compare/4.17.3...4.19.2) --- updated-dependencies: - dependency-name: express dependency-type: indirect ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ui/yarn.lock | 157 ++++++++++++++++++++++++++++----------------------- 1 file changed, 85 insertions(+), 72 deletions(-) diff --git a/ui/yarn.lock b/ui/yarn.lock index b71336dac0a82..8ebc2828eda96 100644 --- a/ui/yarn.lock +++ b/ui/yarn.lock @@ -2781,21 +2781,23 @@ binary-extensions@^2.0.0: resolved "https://registry.yarnpkg.com/binary-extensions/-/binary-extensions-2.2.0.tgz#75f502eeaf9ffde42fc98829645be4ea76bd9e2d" integrity sha512-jDctJ/IVQbZoJykoeHbhXpOlNBqGNcwXJKJog42E5HDPUwQTSdjCHdihjj0DlnheQ7blbT6dHOafNAiS8ooQKA== -body-parser@1.19.2: - version "1.19.2" - resolved "https://registry.npmjs.org/body-parser/-/body-parser-1.19.2.tgz#4714ccd9c157d44797b8b5607d72c0b89952f26e" - integrity sha512-SAAwOxgoCKMGs9uUAUFHygfLAyaniaoun6I8mFY9pRAJL9+Kec34aU+oIjDhTycub1jozEfEwx1W1IuOYxVSFw== +body-parser@1.20.2: + version "1.20.2" + resolved "https://registry.yarnpkg.com/body-parser/-/body-parser-1.20.2.tgz#6feb0e21c4724d06de7ff38da36dad4f57a747fd" + integrity sha512-ml9pReCu3M61kGlqoTm2umSXTlRTuGTx0bfYj+uIUKKYycG5NtSbeetV3faSU6R7ajOPw0g/J1PvK4qNy7s5bA== dependencies: bytes "3.1.2" - content-type "~1.0.4" + content-type "~1.0.5" debug "2.6.9" - depd "~1.1.2" - http-errors "1.8.1" + depd "2.0.0" + destroy "1.2.0" + http-errors "2.0.0" iconv-lite "0.4.24" - on-finished "~2.3.0" - qs "6.9.7" - raw-body "2.4.3" + on-finished "2.4.1" + qs "6.11.0" + raw-body "2.5.2" type-is "~1.6.18" + unpipe "1.0.0" bonjour@^3.5.0: version "3.5.0" @@ -3290,6 +3292,11 @@ content-type@~1.0.4: resolved "https://registry.yarnpkg.com/content-type/-/content-type-1.0.4.tgz#e138cc75e040c727b1966fe5e5f8c9aee256fe3b" integrity sha512-hIP3EEPs8tB9AT1L+NUqtwOAps4mk2Zob89MWXMHjHWg9milF/j4osnnQLXBCBFBk/tvIG/tUc9mOUJiPBhPXA== +content-type@~1.0.5: + version "1.0.5" + resolved "https://registry.yarnpkg.com/content-type/-/content-type-1.0.5.tgz#8b773162656d1d1086784c8f23a54ce6d73d7918" + integrity sha512-nTjqfcBFEipKdXCv4YDQWCfmcLZKm81ldF0pAopTvyrFGVbcR6P/VAAd5G7N+0tTr8QqiU0tFadD6FK4NtJwOA== + convert-source-map@^1.4.0, convert-source-map@^1.6.0, convert-source-map@^1.7.0: version "1.8.0" resolved "https://registry.yarnpkg.com/convert-source-map/-/convert-source-map-1.8.0.tgz#f3373c32d21b4d780dd8004514684fb791ca4369" @@ -3302,10 +3309,10 @@ cookie-signature@1.0.6: resolved "https://registry.yarnpkg.com/cookie-signature/-/cookie-signature-1.0.6.tgz#e303a882b342cc3ee8ca513a79999734dab3ae2c" integrity sha512-QADzlaHc8icV8I7vbaJXJwod9HWYp8uCqf1xa4OfNu1T7JVxQIrUgOWtHdNDtPiywmFbiS12VjotIXLrKM3orQ== -cookie@0.4.2: - version "0.4.2" - resolved "https://registry.npmjs.org/cookie/-/cookie-0.4.2.tgz#0e41f24de5ecf317947c82fc789e06a884824432" - integrity sha512-aSWTXFzaKWkvHO1Ny/s+ePFpvKsPnjc551iI41v3ny/ow6tBG5Vd+FuqGNhh1LxOmVzOlGUriIlOaokOvhaStA== +cookie@0.6.0: + version "0.6.0" + resolved "https://registry.yarnpkg.com/cookie/-/cookie-0.6.0.tgz#2798b04b071b0ecbff0dbb62a505a8efa4e19051" + integrity sha512-U71cyTamuh1CRNCfpGY6to28lxvNwPG4Guz/EVjgf3Jmzv0vlDp1atT9eS5dDjMYHucpHbWns6Lwf3BKz6svdw== cookiejar@^2.1.4: version "2.1.4" @@ -3638,15 +3645,20 @@ delayed-stream@~1.0.0: resolved "https://registry.yarnpkg.com/delayed-stream/-/delayed-stream-1.0.0.tgz#df3ae199acadfb7d440aaae0b29e2272b24ec619" integrity sha1-3zrhmayt+31ECqrgsp4icrJOxhk= +depd@2.0.0: + version "2.0.0" + resolved "https://registry.yarnpkg.com/depd/-/depd-2.0.0.tgz#b696163cc757560d09cf22cc8fad1571b79e76df" + integrity sha512-g7nH6P6dyDioJogAAGprGpCtVImJhpPk/roCzdb3fIh61/s/nPsfR6onyMwkCAR/OlC3yBC0lESvUoQEAssIrw== + depd@~1.1.2: version "1.1.2" resolved "https://registry.yarnpkg.com/depd/-/depd-1.1.2.tgz#9bcd52e14c097763e749b274c4346ed2e560b5a9" integrity sha1-m81S4UwJd2PnSbJ0xDRu0uVgtak= -destroy@~1.0.4: - version "1.0.4" - resolved "https://registry.npmjs.org/destroy/-/destroy-1.0.4.tgz#978857442c44749e4206613e37946205826abd80" - integrity sha512-3NdhDuEXnfun/z7x9GOElY49LoqVHoGScmOKwmxhsS8N5Y+Z8KyPPDnaSzqWgYt/ji4mqwfTS34Htrk0zPIXVg== +destroy@1.2.0: + version "1.2.0" + resolved "https://registry.yarnpkg.com/destroy/-/destroy-1.2.0.tgz#4803735509ad8be552934c67df614f94e66fa015" + integrity sha512-2sJGJTaXIIaR1w4iJSNoN0hnMY7Gpc/n8D4qSCJw8QqFWXf7cuAgnEHxBpweaVcPevC2l3KpjYCx3NypQQgaJg== detect-newline@^3.0.0: version "3.1.0" @@ -4308,37 +4320,38 @@ expect@^27.5.1: jest-message-util "^27.5.1" express@^4.17.1: - version "4.17.3" - resolved "https://registry.npmjs.org/express/-/express-4.17.3.tgz#f6c7302194a4fb54271b73a1fe7a06478c8f85a1" - integrity sha512-yuSQpz5I+Ch7gFrPCk4/c+dIBKlQUxtgwqzph132bsT6qhuzss6I8cLJQz7B3rFblzd6wtcI0ZbGltH/C4LjUg== + version "4.19.2" + resolved "https://registry.yarnpkg.com/express/-/express-4.19.2.tgz#e25437827a3aa7f2a827bc8171bbbb664a356465" + integrity sha512-5T6nhjsT+EOMzuck8JjBHARTHfMht0POzlA60WV2pMD3gyXw2LZnZ+ueGdNxG+0calOJcWKbpFcuzLZ91YWq9Q== dependencies: accepts "~1.3.8" array-flatten "1.1.1" - body-parser "1.19.2" + body-parser "1.20.2" content-disposition "0.5.4" content-type "~1.0.4" - cookie "0.4.2" + cookie "0.6.0" cookie-signature "1.0.6" debug "2.6.9" - depd "~1.1.2" + depd "2.0.0" encodeurl "~1.0.2" escape-html "~1.0.3" etag "~1.8.1" - finalhandler "~1.1.2" + finalhandler "1.2.0" fresh "0.5.2" + http-errors "2.0.0" merge-descriptors "1.0.1" methods "~1.1.2" - on-finished "~2.3.0" + on-finished "2.4.1" parseurl "~1.3.3" path-to-regexp "0.1.7" proxy-addr "~2.0.7" - qs "6.9.7" + qs "6.11.0" range-parser "~1.2.1" safe-buffer "5.2.1" - send "0.17.2" - serve-static "1.14.2" + send "0.18.0" + serve-static "1.15.0" setprototypeof "1.2.0" - statuses "~1.5.0" + statuses "2.0.1" type-is "~1.6.18" utils-merge "1.0.1" vary "~1.1.2" @@ -4468,17 +4481,17 @@ fill-range@^7.0.1: dependencies: to-regex-range "^5.0.1" -finalhandler@~1.1.2: - version "1.1.2" - resolved "https://registry.npmjs.org/finalhandler/-/finalhandler-1.1.2.tgz#b7e7d000ffd11938d0fdb053506f6ebabe9f587d" - integrity sha512-aAWcW57uxVNrQZqFXjITpW3sIUQmHGG3qSb9mUah9MgMC4NeWhNOlNjXEYq3HjRAvL6arUviZGGJsBg6z0zsWA== +finalhandler@1.2.0: + version "1.2.0" + resolved "https://registry.yarnpkg.com/finalhandler/-/finalhandler-1.2.0.tgz#7d23fe5731b207b4640e4fcd00aec1f9207a7b32" + integrity sha512-5uXcUVftlQMFnWC9qu/svkWv3GTd2PfUhK/3PLkYNAe7FbqJMt3515HaxE6eRL74GdsriiwujiawdaB1BpEISg== dependencies: debug "2.6.9" encodeurl "~1.0.2" escape-html "~1.0.3" - on-finished "~2.3.0" + on-finished "2.4.1" parseurl "~1.3.3" - statuses "~1.5.0" + statuses "2.0.1" unpipe "~1.0.0" find-cache-dir@^2.0.0: @@ -4915,15 +4928,15 @@ http-deceiver@^1.2.7: resolved "https://registry.yarnpkg.com/http-deceiver/-/http-deceiver-1.2.7.tgz#fa7168944ab9a519d337cb0bec7284dc3e723d87" integrity sha1-+nFolEq5pRnTN8sL7HKE3D5yPYc= -http-errors@1.8.1: - version "1.8.1" - resolved "https://registry.npmjs.org/http-errors/-/http-errors-1.8.1.tgz#7c3f28577cbc8a207388455dbd62295ed07bd68c" - integrity sha512-Kpk9Sm7NmI+RHhnj6OIWDI1d6fIoFAtFt9RLaTMRlg/8w49juAStsrBgp0Dp4OdxdVbRIeKhtCUvoi/RuAhO4g== +http-errors@2.0.0: + version "2.0.0" + resolved "https://registry.yarnpkg.com/http-errors/-/http-errors-2.0.0.tgz#b7774a1486ef73cf7667ac9ae0858c012c57b9d3" + integrity sha512-FtwrG/euBzaEjYeRqOgly7G0qviiXoJWnvEH2Z1plBdXgbyjv34pHTSb9zoeHMyDy33+DWy5Wt9Wo+TURtOYSQ== dependencies: - depd "~1.1.2" + depd "2.0.0" inherits "2.0.4" setprototypeof "1.2.0" - statuses ">= 1.5.0 < 2" + statuses "2.0.1" toidentifier "1.0.1" http-errors@~1.6.2: @@ -6738,10 +6751,10 @@ obuf@^1.0.0, obuf@^1.1.2: resolved "https://registry.yarnpkg.com/obuf/-/obuf-1.1.2.tgz#09bea3343d41859ebd446292d11c9d4db619084e" integrity sha512-PX1wu0AmAdPqOL1mWhqmlOd8kOIZQwGZw6rh7uby9fTc5lhaOWFLX3I6R1hrF9k3zUY40e6igsLGkDXK92LJNg== -on-finished@~2.3.0: - version "2.3.0" - resolved "https://registry.npmjs.org/on-finished/-/on-finished-2.3.0.tgz#20f1336481b083cd75337992a16971aa2d906947" - integrity sha512-ikqdkGAAyf/X/gPhXGvfgAytDZtDbr+bkNUJ0N9h5MI/dmdgCs3l6hoHrcUv41sRKew3jIwrp4qQDXiK99Utww== +on-finished@2.4.1: + version "2.4.1" + resolved "https://registry.yarnpkg.com/on-finished/-/on-finished-2.4.1.tgz#58c8c44116e54845ad57f14ab10b03533184ac3f" + integrity sha512-oVlzkg3ENAhCk2zdv7IJwd/QUD4z2RxRwpkcGY8psCVcCYZNq4wYnVWALHM+brtuJjePWiYF/ClmuDr8Ch5+kg== dependencies: ee-first "1.1.1" @@ -7267,12 +7280,7 @@ qrcode.react@^3.1.0: resolved "https://registry.yarnpkg.com/qrcode.react/-/qrcode.react-3.1.0.tgz#5c91ddc0340f768316fbdb8fff2765134c2aecd8" integrity sha512-oyF+Urr3oAMUG/OiOuONL3HXM+53wvuH3mtIWQrYmsXoAq0DkvZp2RYUWFSMFtbdOpuS++9v+WAkzNVkMlNW6Q== -qs@6.9.7: - version "6.9.7" - resolved "https://registry.npmjs.org/qs/-/qs-6.9.7.tgz#4610846871485e1e048f44ae3b94033f0e675afe" - integrity sha512-IhMFgUmuNpyRfxA90umL7ByLlgRXu6tIfKPpF5TmcfRLlLCckfP/g3IQmju6jjpu+Hh8rA+2p6A27ZSPOOHdKw== - -qs@^6.11.0: +qs@6.11.0, qs@^6.11.0: version "6.11.0" resolved "https://registry.npmjs.org/qs/-/qs-6.11.0.tgz#fd0d963446f7a65e1367e01abd85429453f0c37a" integrity sha512-MvjoMCJwEarSbUYk5O+nmoSzSutSsTwF85zcHPQ9OrlFoZOYIjaqBAJIqIXjptyD5vThxGq52Xu/MaJzRkIk4Q== @@ -7306,13 +7314,13 @@ range-parser@^1.2.1, range-parser@~1.2.1: resolved "https://registry.yarnpkg.com/range-parser/-/range-parser-1.2.1.tgz#3cf37023d199e1c24d1a55b84800c2f3e6468031" integrity sha512-Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg== -raw-body@2.4.3: - version "2.4.3" - resolved "https://registry.npmjs.org/raw-body/-/raw-body-2.4.3.tgz#8f80305d11c2a0a545c2d9d89d7a0286fcead43c" - integrity sha512-UlTNLIcu0uzb4D2f4WltY6cVjLi+/jEN4lgEUj3E04tpMDpUlkBo/eSn6zou9hum2VMNpCCUone0O0WeJim07g== +raw-body@2.5.2: + version "2.5.2" + resolved "https://registry.yarnpkg.com/raw-body/-/raw-body-2.5.2.tgz#99febd83b90e08975087e8f1f9419a149366b68a" + integrity sha512-8zGqypfENjCIqGhgXToC8aB2r7YrBX+AQAfIPs/Mlk+BtPTztOvTS01NRW/3Eh60J+a48lt8qsCzirQ6loCVfA== dependencies: bytes "3.1.2" - http-errors "1.8.1" + http-errors "2.0.0" iconv-lite "0.4.24" unpipe "1.0.0" @@ -8436,24 +8444,24 @@ semver@^6.0.0, semver@^6.3.0: resolved "https://registry.yarnpkg.com/semver/-/semver-6.3.1.tgz#556d2ef8689146e46dcea4bfdd095f3434dffcb4" integrity sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA== -send@0.17.2: - version "0.17.2" - resolved "https://registry.npmjs.org/send/-/send-0.17.2.tgz#926622f76601c41808012c8bf1688fe3906f7820" - integrity sha512-UJYB6wFSJE3G00nEivR5rgWp8c2xXvJ3OPWPhmuteU0IKj8nKbG3DrjiOmLwpnHGYWAVwA69zmTm++YG0Hmwww== +send@0.18.0: + version "0.18.0" + resolved "https://registry.yarnpkg.com/send/-/send-0.18.0.tgz#670167cc654b05f5aa4a767f9113bb371bc706be" + integrity sha512-qqWzuOjSFOuqPjFe4NOsMLafToQQwBSOEpS+FwEt3A2V3vKubTquT3vmLTQpFgMXp8AlFWFuP1qKaJZOtPpVXg== dependencies: debug "2.6.9" - depd "~1.1.2" - destroy "~1.0.4" + depd "2.0.0" + destroy "1.2.0" encodeurl "~1.0.2" escape-html "~1.0.3" etag "~1.8.1" fresh "0.5.2" - http-errors "1.8.1" + http-errors "2.0.0" mime "1.6.0" ms "2.1.3" - on-finished "~2.3.0" + on-finished "2.4.1" range-parser "~1.2.1" - statuses "~1.5.0" + statuses "2.0.1" serialize-javascript@^5.0.1: version "5.0.1" @@ -8482,15 +8490,15 @@ serve-index@^1.9.1: mime-types "~2.1.17" parseurl "~1.3.2" -serve-static@1.14.2: - version "1.14.2" - resolved "https://registry.npmjs.org/serve-static/-/serve-static-1.14.2.tgz#722d6294b1d62626d41b43a013ece4598d292bfa" - integrity sha512-+TMNA9AFxUEGuC0z2mevogSnn9MXKb4fa7ngeRMJaaGv8vTwnIEkKi+QGvPt33HSnf8pRS+WGM0EbMtCJLKMBQ== +serve-static@1.15.0: + version "1.15.0" + resolved "https://registry.yarnpkg.com/serve-static/-/serve-static-1.15.0.tgz#faaef08cffe0a1a62f60cad0c4e513cff0ac9540" + integrity sha512-XGuRDNjXUijsUL0vl6nSD7cwURuzEgglbOaFuZM9g3kwDXOWVTck0jLzjPzGD+TazWbboZYu52/9/XPdUgne9g== dependencies: encodeurl "~1.0.2" escape-html "~1.0.3" parseurl "~1.3.3" - send "0.17.2" + send "0.18.0" set-value@^2.0.0, set-value@^2.0.1: version "2.0.1" @@ -8808,7 +8816,12 @@ static-extend@^0.1.1: define-property "^0.2.5" object-copy "^0.1.0" -"statuses@>= 1.4.0 < 2", "statuses@>= 1.5.0 < 2", statuses@~1.5.0: +statuses@2.0.1: + version "2.0.1" + resolved "https://registry.yarnpkg.com/statuses/-/statuses-2.0.1.tgz#55cb000ccf1d48728bd23c685a063998cf1a1b63" + integrity sha512-RwNA9Z/7PrK06rYLIzFMlaF+l73iwpzsqRIFgbMLbTcLD6cOao82TaWefPXQvB2fOC4AjuYSEndS7N/mTCbkdQ== + +"statuses@>= 1.4.0 < 2": version "1.5.0" resolved "https://registry.yarnpkg.com/statuses/-/statuses-1.5.0.tgz#161c7dac177659fd9811f43771fa99381478628c" integrity sha1-Fhx9rBd2Wf2YEfQ3cfqZOBR4Yow= From ae29279cbe7d9df3b2162f39461a61f72aac0589 Mon Sep 17 00:00:00 2001 From: pasha-codefresh Date: Thu, 28 Mar 2024 14:38:03 +0200 Subject: [PATCH 08/14] Merge pull request from GHSA-jhwx-mhww-rgc3 * sec: limit helm index max size Signed-off-by: pashakostohrys * sec: limit helm index max size Signed-off-by: pashakostohrys * feat: fix tests and linter Signed-off-by: pashakostohrys --------- Signed-off-by: pashakostohrys --- .../commands/argocd_repo_server.go | 6 ++++++ reposerver/repository/repository.go | 7 ++++--- reposerver/repository/repository_test.go | 2 +- util/helm/client.go | 10 +++++----- util/helm/client_test.go | 14 ++++++++++---- util/helm/mocks/Client.go | 2 +- 6 files changed, 27 insertions(+), 14 deletions(-) diff --git a/cmd/argocd-repo-server/commands/argocd_repo_server.go b/cmd/argocd-repo-server/commands/argocd_repo_server.go index 84b50e7cd5ab9..2ba17cd9b64ba 100644 --- a/cmd/argocd-repo-server/commands/argocd_repo_server.go +++ b/cmd/argocd-repo-server/commands/argocd_repo_server.go @@ -68,6 +68,7 @@ func NewCommand() *cobra.Command { streamedManifestMaxTarSize string streamedManifestMaxExtractedSize string helmManifestMaxExtractedSize string + helmRegistryMaxIndexSize string disableManifestMaxExtractedSize bool ) var command = cobra.Command{ @@ -110,6 +111,9 @@ func NewCommand() *cobra.Command { helmManifestMaxExtractedSizeQuantity, err := resource.ParseQuantity(helmManifestMaxExtractedSize) errors.CheckError(err) + helmRegistryMaxIndexSizeQuantity, err := resource.ParseQuantity(helmRegistryMaxIndexSize) + errors.CheckError(err) + askPassServer := askpass.NewServer() metricsServer := metrics.NewMetricsServer() cacheutil.CollectMetrics(redisClient, metricsServer) @@ -125,6 +129,7 @@ func NewCommand() *cobra.Command { StreamedManifestMaxExtractedSize: streamedManifestMaxExtractedSizeQuantity.ToDec().Value(), StreamedManifestMaxTarSize: streamedManifestMaxTarSizeQuantity.ToDec().Value(), HelmManifestMaxExtractedSize: helmManifestMaxExtractedSizeQuantity.ToDec().Value(), + HelmRegistryMaxIndexSize: helmRegistryMaxIndexSizeQuantity.ToDec().Value(), }, askPassServer) errors.CheckError(err) @@ -208,6 +213,7 @@ func NewCommand() *cobra.Command { command.Flags().StringVar(&streamedManifestMaxTarSize, "streamed-manifest-max-tar-size", env.StringFromEnv("ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_TAR_SIZE", "100M"), "Maximum size of streamed manifest archives") command.Flags().StringVar(&streamedManifestMaxExtractedSize, "streamed-manifest-max-extracted-size", env.StringFromEnv("ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_EXTRACTED_SIZE", "1G"), "Maximum size of streamed manifest archives when extracted") command.Flags().StringVar(&helmManifestMaxExtractedSize, "helm-manifest-max-extracted-size", env.StringFromEnv("ARGOCD_REPO_SERVER_HELM_MANIFEST_MAX_EXTRACTED_SIZE", "1G"), "Maximum size of helm manifest archives when extracted") + command.Flags().StringVar(&helmRegistryMaxIndexSize, "helm-registry-max-index-size", env.StringFromEnv("ARGOCD_REPO_SERVER_HELM_MANIFEST_MAX_INDEX_SIZE", "1G"), "Maximum size of registry index file") command.Flags().BoolVar(&disableManifestMaxExtractedSize, "disable-helm-manifest-max-extracted-size", env.ParseBoolFromEnv("ARGOCD_REPO_SERVER_DISABLE_HELM_MANIFEST_MAX_EXTRACTED_SIZE", false), "Disable maximum size of helm manifest archives when extracted") tlsConfigCustomizerSrc = tls.AddTLSFlagsToCmd(&command) cacheSrc = reposervercache.AddCacheFlagsToCmd(&command, cacheutil.Options{ diff --git a/reposerver/repository/repository.go b/reposerver/repository/repository.go index 6e22f1c297366..e962e811ee2b5 100644 --- a/reposerver/repository/repository.go +++ b/reposerver/repository/repository.go @@ -109,6 +109,7 @@ type RepoServerInitConstants struct { StreamedManifestMaxExtractedSize int64 StreamedManifestMaxTarSize int64 HelmManifestMaxExtractedSize int64 + HelmRegistryMaxIndexSize int64 DisableHelmManifestMaxExtractedSize bool } @@ -2371,7 +2372,7 @@ func (s *Service) newHelmClientResolveRevision(repo *v1alpha1.Repository, revisi return helmClient, version.String(), nil } - index, err := helmClient.GetIndex(noRevisionCache) + index, err := helmClient.GetIndex(noRevisionCache, s.initConstants.HelmRegistryMaxIndexSize) if err != nil { return nil, "", err } @@ -2453,7 +2454,7 @@ func checkoutRevision(gitClient git.Client, revision string, submoduleEnabled bo } func (s *Service) GetHelmCharts(ctx context.Context, q *apiclient.HelmChartsRequest) (*apiclient.HelmChartsResponse, error) { - index, err := s.newHelmClient(q.Repo.Repo, q.Repo.GetHelmCreds(), q.Repo.EnableOCI, q.Repo.Proxy, helm.WithChartPaths(s.chartPaths)).GetIndex(true) + index, err := s.newHelmClient(q.Repo.Repo, q.Repo.GetHelmCreds(), q.Repo.EnableOCI, q.Repo.Proxy, helm.WithChartPaths(s.chartPaths)).GetIndex(true, s.initConstants.HelmRegistryMaxIndexSize) if err != nil { return nil, err } @@ -2488,7 +2489,7 @@ func (s *Service) TestRepository(ctx context.Context, q *apiclient.TestRepositor _, err := helm.NewClient(repo.Repo, repo.GetHelmCreds(), repo.EnableOCI, repo.Proxy).TestHelmOCI() return err } else { - _, err := helm.NewClient(repo.Repo, repo.GetHelmCreds(), repo.EnableOCI, repo.Proxy).GetIndex(false) + _, err := helm.NewClient(repo.Repo, repo.GetHelmCreds(), repo.EnableOCI, repo.Proxy).GetIndex(false, s.initConstants.HelmRegistryMaxIndexSize) return err } }, diff --git a/reposerver/repository/repository_test.go b/reposerver/repository/repository_test.go index ea1aa2294adc3..d48f50a832eb0 100644 --- a/reposerver/repository/repository_test.go +++ b/reposerver/repository/repository_test.go @@ -119,7 +119,7 @@ func newServiceWithMocks(t *testing.T, root string, signed bool) (*Service, *git chart := "my-chart" oobChart := "out-of-bounds-chart" version := "1.1.0" - helmClient.On("GetIndex", mock.AnythingOfType("bool")).Return(&helm.Index{Entries: map[string]helm.Entries{ + helmClient.On("GetIndex", mock.AnythingOfType("bool"), mock.Anything).Return(&helm.Index{Entries: map[string]helm.Entries{ chart: {{Version: "1.0.0"}, {Version: version}}, oobChart: {{Version: "1.0.0"}, {Version: version}}, }}, nil) diff --git a/util/helm/client.go b/util/helm/client.go index 75bd30d1fea13..8b99cd67c6904 100644 --- a/util/helm/client.go +++ b/util/helm/client.go @@ -56,7 +56,7 @@ type indexCache interface { type Client interface { CleanChartCache(chart string, version string) error ExtractChart(chart string, version string, passCredentials bool, manifestMaxExtractedSize int64, disableManifestMaxExtractedSize bool) (string, argoio.Closer, error) - GetIndex(noCache bool) (*Index, error) + GetIndex(noCache bool, maxIndexSize int64) (*Index, error) GetTags(chart string, noCache bool) (*TagsList, error) TestHelmOCI() (bool, error) } @@ -230,7 +230,7 @@ func (c *nativeHelmChart) ExtractChart(chart string, version string, passCredent }), nil } -func (c *nativeHelmChart) GetIndex(noCache bool) (*Index, error) { +func (c *nativeHelmChart) GetIndex(noCache bool, maxIndexSize int64) (*Index, error) { indexLock.Lock(c.repoURL) defer indexLock.Unlock(c.repoURL) @@ -244,7 +244,7 @@ func (c *nativeHelmChart) GetIndex(noCache bool) (*Index, error) { if len(data) == 0 { start := time.Now() var err error - data, err = c.loadRepoIndex() + data, err = c.loadRepoIndex(maxIndexSize) if err != nil { return nil, err } @@ -297,7 +297,7 @@ func (c *nativeHelmChart) TestHelmOCI() (bool, error) { return true, nil } -func (c *nativeHelmChart) loadRepoIndex() ([]byte, error) { +func (c *nativeHelmChart) loadRepoIndex(maxIndexSize int64) ([]byte, error) { indexURL, err := getIndexURL(c.repoURL) if err != nil { return nil, err @@ -332,7 +332,7 @@ func (c *nativeHelmChart) loadRepoIndex() ([]byte, error) { if resp.StatusCode != http.StatusOK { return nil, errors.New("failed to get index: " + resp.Status) } - return io.ReadAll(resp.Body) + return io.ReadAll(io.LimitReader(resp.Body, maxIndexSize)) } func newTLSConfig(creds Creds) (*tls.Config, error) { diff --git a/util/helm/client_test.go b/util/helm/client_test.go index 6fba279df07d0..ad613ca3bd7eb 100644 --- a/util/helm/client_test.go +++ b/util/helm/client_test.go @@ -37,12 +37,12 @@ func (f *fakeIndexCache) GetHelmIndex(_ string, indexData *[]byte) error { func TestIndex(t *testing.T) { t.Run("Invalid", func(t *testing.T) { client := NewClient("", Creds{}, false, "") - _, err := client.GetIndex(false) + _, err := client.GetIndex(false, 10000) assert.Error(t, err) }) t.Run("Stable", func(t *testing.T) { client := NewClient("https://argoproj.github.io/argo-helm", Creds{}, false, "") - index, err := client.GetIndex(false) + index, err := client.GetIndex(false, 10000) assert.NoError(t, err) assert.NotNil(t, index) }) @@ -51,7 +51,7 @@ func TestIndex(t *testing.T) { Username: "my-password", Password: "my-username", }, false, "") - index, err := client.GetIndex(false) + index, err := client.GetIndex(false, 10000) assert.NoError(t, err) assert.NotNil(t, index) }) @@ -63,12 +63,18 @@ func TestIndex(t *testing.T) { require.NoError(t, err) client := NewClient("https://argoproj.github.io/argo-helm", Creds{}, false, "", WithIndexCache(&fakeIndexCache{data: data.Bytes()})) - index, err := client.GetIndex(false) + index, err := client.GetIndex(false, 10000) assert.NoError(t, err) assert.Equal(t, fakeIndex, *index) }) + t.Run("Limited", func(t *testing.T) { + client := NewClient("https://argoproj.github.io/argo-helm", Creds{}, false, "") + _, err := client.GetIndex(false, 100) + + assert.ErrorContains(t, err, "unexpected end of stream") + }) } func Test_nativeHelmChart_ExtractChart(t *testing.T) { diff --git a/util/helm/mocks/Client.go b/util/helm/mocks/Client.go index 6dc25e4affd0b..0acae845a3d33 100644 --- a/util/helm/mocks/Client.go +++ b/util/helm/mocks/Client.go @@ -59,7 +59,7 @@ func (_m *Client) ExtractChart(chart string, version string, passCredentials boo } // GetIndex provides a mock function with given fields: noCache -func (_m *Client) GetIndex(noCache bool) (*helm.Index, error) { +func (_m *Client) GetIndex(noCache bool, maxIndexSize int64) (*helm.Index, error) { ret := _m.Called(noCache) var r0 *helm.Index From 8631e7ef9be5b0da99457f12af0430d9ad873ac5 Mon Sep 17 00:00:00 2001 From: Leonardo Luz Almeida Date: Thu, 28 Mar 2024 09:57:32 -0400 Subject: [PATCH 09/14] docs: fix contrib meeting time description (#17655) Signed-off-by: Leonardo Luz Almeida --- docs/developer-guide/code-contributions.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/developer-guide/code-contributions.md b/docs/developer-guide/code-contributions.md index b02bf64e15505..2d28aaa956b48 100644 --- a/docs/developer-guide/code-contributions.md +++ b/docs/developer-guide/code-contributions.md @@ -103,10 +103,12 @@ Design documents are usually submitted as PR and use [this template](https://git Our community regularly meets virtually to discuss issues, ideas and enhancements around Argo CD. We do invite you to join this virtual meetings if you want to bring up certain things (including your enhancement proposals), participate in our triaging or just want to get to know other contributors. -The current cadence of our meetings is weekly, every Thursday at 4:15pm UTC (8:15am Pacific, 11:15am Eastern, 5:15pm Central European, 9:45pm Indian). We use Zoom to conduct these meetings. +The current cadence of our meetings is weekly, every Thursday at 8:15AM Pacific Time ([click here to check in your current timezone][1]). We use Zoom to conduct these meetings. * [Agenda document (Google Docs, includes Zoom link)](https://docs.google.com/document/d/1xkoFkVviB70YBzSEa4bDnu-rUZ1sIFtwKKG1Uw8XsY8) If you want to discuss something, we kindly ask you to put your item on the [agenda](https://docs.google.com/document/d/1xkoFkVviB70YBzSEa4bDnu-rUZ1sIFtwKKG1Uw8XsY8) -for one of the upcoming meetings so that we can plan in the time for discussing it. \ No newline at end of file +for one of the upcoming meetings so that we can plan in the time for discussing it. + +[1]: https://www.timebie.com/std/pacific.php?q=081500 From e26f4fbdc12a98ea3801c1128141dde211afa2dc Mon Sep 17 00:00:00 2001 From: Deniz Erdogan <91744937+deer-wmde@users.noreply.github.com> Date: Thu, 28 Mar 2024 15:36:35 +0100 Subject: [PATCH 10/14] docs: 2 link fixes + hint (#17657) * Update security.md fix RBAC link Signed-off-by: Deniz Erdogan <91744937+deer-wmde@users.noreply.github.com> * Update security.md Signed-off-by: Deniz Erdogan <91744937+deer-wmde@users.noreply.github.com> * Update security.md fix link to application-controller role Signed-off-by: Deniz Erdogan <91744937+deer-wmde@users.noreply.github.com> * Update security.md Signed-off-by: Deniz Erdogan <91744937+deer-wmde@users.noreply.github.com> --------- Signed-off-by: Deniz Erdogan <91744937+deer-wmde@users.noreply.github.com> --- docs/operator-manual/security.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/operator-manual/security.md b/docs/operator-manual/security.md index 47c5d3aa1accc..9d05c45cb7c74 100644 --- a/docs/operator-manual/security.md +++ b/docs/operator-manual/security.md @@ -30,7 +30,7 @@ in one of the following ways: ## Authorization Authorization is performed by iterating the list of group membership in a user's JWT groups claims, -and comparing each group against the roles/rules in the [RBAC](../rbac) policy. Any matched rule +and comparing each group against the roles/rules in the [RBAC](./rbac.md) policy. Any matched rule permits access to the API request. ## TLS @@ -144,7 +144,7 @@ argocd cluster rm https://your-kubernetes-cluster-addr ## Cluster RBAC -By default, Argo CD uses a [clusteradmin level role](https://github.com/argoproj/argo-cd/blob/master/manifests/base/application-controller/argocd-application-controller-role.yaml) +By default, Argo CD uses a [clusteradmin level role](https://github.com/argoproj/argo-cd/blob/master/manifests/base/application-controller-roles/argocd-application-controller-role.yaml) in order to: 1. watch & operate on cluster state From b711c5b7d7087e155df538ad58498bfa0745445d Mon Sep 17 00:00:00 2001 From: "Kostis (Codefresh)" <39800303+kostis-codefresh@users.noreply.github.com> Date: Fri, 29 Mar 2024 15:00:50 +0100 Subject: [PATCH 11/14] docs: added warning for multiple sources (#17670) * docs: added warning for multiple sources Signed-off-by: Kostis (Codefresh) <39800303+kostis-codefresh@users.noreply.github.com> * docs: minor spelling Signed-off-by: Kostis (Codefresh) <39800303+kostis-codefresh@users.noreply.github.com> --------- Signed-off-by: Kostis (Codefresh) <39800303+kostis-codefresh@users.noreply.github.com> --- docs/user-guide/multiple_sources.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/user-guide/multiple_sources.md b/docs/user-guide/multiple_sources.md index c48d9743d66da..e539f8f6288aa 100644 --- a/docs/user-guide/multiple_sources.md +++ b/docs/user-guide/multiple_sources.md @@ -36,6 +36,9 @@ spec: The above example has two sources specified. Argo CD will generate the manifests for each source separately and combine the resulting manifests. +!!! warning "Do not abuse multiple sources" + Note that the example above is just for illustration purposes. This feature is **NOT** destined as a generic way to group your applications. Take a look at [applicationsets](../user-guide/application-set.md) and the [app-of-apps](../../operator-manual/cluster-bootstrapping/) pattern if you want to have a single entity for multiple applications. If you find yourself using more than 2-3 items in the `sources` array then you are almost certainly abusing this feature and you need to rethink your application grouping strategy. + If multiple sources produce the same resource (same `group`, `kind`, `name`, and `namespace`), the last source to produce the resource will take precedence. Argo CD will produce a `RepeatedResourceWarning` in this case, but it will sync the resources. This provides a convenient way to override a resource from a chart with a resource from a Git repo. From 766a6da2cdb5dcf96b7ab64a235c5b60da292c42 Mon Sep 17 00:00:00 2001 From: Mangaal <44372157+Mangaal@users.noreply.github.com> Date: Sat, 30 Mar 2024 00:19:16 +0530 Subject: [PATCH 12/14] feat: Enhance ArgoCD CLI: Dynamic Repo Server Retrieval with --core and --refresh Flags (#17613) * add const key value for ComponentRepoServer Signed-off-by: Mangaal * update NewRepoServerClient() to look for service with ComponentRepoServer labels , if the label exist construct label selector PortForward Signed-off-by: Mangaal * add comment for the new constants Signed-off-by: Mangaal * instead of passing nil which leads to nil ptr referance error, pass empty ClusterSharding{} Signed-off-by: Mangaal * check for operator install repo server name Signed-off-by: Mangaal * handle empty nil ptr dereference error Signed-off-by: Mangaal * handle nil prt dereference Signed-off-by: Mangaal * typo correction Signed-off-by: Mangaal * run clidocsgen Signed-off-by: Mangaal --------- Signed-off-by: Mangaal --- cmd/argocd/commands/admin/app.go | 19 ++++++++++++++----- cmd/argocd/commands/headless/headless.go | 18 ++++++++++++++++-- common/common.go | 4 ++++ controller/cache/cache.go | 4 ++++ .../server-commands/argocd-repo-server.md | 1 + 5 files changed, 39 insertions(+), 7 deletions(-) diff --git a/cmd/argocd/commands/admin/app.go b/cmd/argocd/commands/admin/app.go index 096c92f9feb01..ebdec7f261ffc 100644 --- a/cmd/argocd/commands/admin/app.go +++ b/cmd/argocd/commands/admin/app.go @@ -24,6 +24,7 @@ import ( "github.com/argoproj/argo-cd/v2/controller" "github.com/argoproj/argo-cd/v2/controller/cache" "github.com/argoproj/argo-cd/v2/controller/metrics" + "github.com/argoproj/argo-cd/v2/controller/sharding" argocdclient "github.com/argoproj/argo-cd/v2/pkg/apiclient" "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1" appclientset "github.com/argoproj/argo-cd/v2/pkg/client/clientset/versioned" @@ -269,18 +270,26 @@ func NewReconcileCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command var result []appReconcileResult if refresh { + appClientset := appclientset.NewForConfigOrDie(cfg) + kubeClientset := kubernetes.NewForConfigOrDie(cfg) if repoServerAddress == "" { printLine("Repo server is not provided, trying to port-forward to argocd-repo-server pod.") overrides := clientcmd.ConfigOverrides{} - repoServerPodLabelSelector := common.LabelKeyAppName + "=" + clientOpts.RepoServerName + repoServerName := clientOpts.RepoServerName + repoServerServiceLabelSelector := common.LabelKeyComponentRepoServer + "=" + common.LabelValueComponentRepoServer + repoServerServices, err := kubeClientset.CoreV1().Services(namespace).List(context.Background(), v1.ListOptions{LabelSelector: repoServerServiceLabelSelector}) + errors.CheckError(err) + if len(repoServerServices.Items) > 0 { + if repoServerServicelabel, ok := repoServerServices.Items[0].Labels[common.LabelKeyAppName]; ok && repoServerServicelabel != "" { + repoServerName = repoServerServicelabel + } + } + repoServerPodLabelSelector := common.LabelKeyAppName + "=" + repoServerName repoServerPort, err := kubeutil.PortForward(8081, namespace, &overrides, repoServerPodLabelSelector) errors.CheckError(err) repoServerAddress = fmt.Sprintf("localhost:%d", repoServerPort) } repoServerClient := reposerverclient.NewRepoServerClientset(repoServerAddress, 60, reposerverclient.TLSConfiguration{DisableTLS: false, StrictValidation: false}) - - appClientset := appclientset.NewForConfigOrDie(cfg) - kubeClientset := kubernetes.NewForConfigOrDie(cfg) result, err = reconcileApplications(ctx, kubeClientset, appClientset, namespace, repoServerClient, selector, newLiveStateCache, serverSideDiff) errors.CheckError(err) } else { @@ -437,5 +446,5 @@ func reconcileApplications( } func newLiveStateCache(argoDB db.ArgoDB, appInformer kubecache.SharedIndexInformer, settingsMgr *settings.SettingsManager, server *metrics.MetricsServer) cache.LiveStateCache { - return cache.NewLiveStateCache(argoDB, appInformer, settingsMgr, kubeutil.NewKubectl(), server, func(managedByApp map[string]bool, ref apiv1.ObjectReference) {}, nil, argo.NewResourceTracking()) + return cache.NewLiveStateCache(argoDB, appInformer, settingsMgr, kubeutil.NewKubectl(), server, func(managedByApp map[string]bool, ref apiv1.ObjectReference) {}, &sharding.ClusterSharding{}, argo.NewResourceTracking()) } diff --git a/cmd/argocd/commands/headless/headless.go b/cmd/argocd/commands/headless/headless.go index d48019a2216b9..eca3cb0fb498a 100644 --- a/cmd/argocd/commands/headless/headless.go +++ b/cmd/argocd/commands/headless/headless.go @@ -18,6 +18,7 @@ import ( "github.com/redis/go-redis/v9" log "github.com/sirupsen/logrus" "github.com/spf13/pflag" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/runtime" "k8s.io/client-go/kubernetes" cache2 "k8s.io/client-go/tools/cache" @@ -115,6 +116,7 @@ type forwardRepoClientset struct { repoClientset repoapiclient.Clientset err error repoServerName string + kubeClientset kubernetes.Interface } func (c *forwardRepoClientset) NewRepoServerClient() (io.Closer, repoapiclient.RepoServerServiceClient, error) { @@ -122,7 +124,19 @@ func (c *forwardRepoClientset) NewRepoServerClient() (io.Closer, repoapiclient.R overrides := clientcmd.ConfigOverrides{ CurrentContext: c.context, } - repoServerPodLabelSelector := common.LabelKeyAppName + "=" + c.repoServerName + repoServerName := c.repoServerName + repoServererviceLabelSelector := common.LabelKeyComponentRepoServer + "=" + common.LabelValueComponentRepoServer + repoServerServices, err := c.kubeClientset.CoreV1().Services(c.namespace).List(context.Background(), v1.ListOptions{LabelSelector: repoServererviceLabelSelector}) + if err != nil { + c.err = err + return + } + if len(repoServerServices.Items) > 0 { + if repoServerServicelabel, ok := repoServerServices.Items[0].Labels[common.LabelKeyAppName]; ok && repoServerServicelabel != "" { + repoServerName = repoServerServicelabel + } + } + repoServerPodLabelSelector := common.LabelKeyAppName + "=" + repoServerName repoServerPort, err := kubeutil.PortForward(8081, c.namespace, &overrides, repoServerPodLabelSelector) if err != nil { c.err = err @@ -237,7 +251,7 @@ func MaybeStartLocalServer(ctx context.Context, clientOpts *apiclient.ClientOpti KubeClientset: kubeClientset, Insecure: true, ListenHost: *address, - RepoClientset: &forwardRepoClientset{namespace: namespace, context: ctxStr, repoServerName: clientOpts.RepoServerName}, + RepoClientset: &forwardRepoClientset{namespace: namespace, context: ctxStr, repoServerName: clientOpts.RepoServerName, kubeClientset: kubeClientset}, EnableProxyExtension: false, }) srv.Init(ctx) diff --git a/common/common.go b/common/common.go index 628169e6e5075..f4b176946bcbd 100644 --- a/common/common.go +++ b/common/common.go @@ -188,6 +188,10 @@ const ( // AnnotationKeyAppSkipReconcile tells the Application to skip the Application controller reconcile. // Skip reconcile when the value is "true" or any other string values that can be strconv.ParseBool() to be true. AnnotationKeyAppSkipReconcile = "argocd.argoproj.io/skip-reconcile" + // LabelKeyComponentRepoServer is the label key to identify the component as repo-server + LabelKeyComponentRepoServer = "app.kubernetes.io/component" + // LabelValueComponentRepoServer is the label value for the repo-server component + LabelValueComponentRepoServer = "repo-server" ) // Environment variables for tuning and debugging Argo CD diff --git a/controller/cache/cache.go b/controller/cache/cache.go index 4df1bf9f2c5ac..826079d62cda3 100644 --- a/controller/cache/cache.go +++ b/controller/cache/cache.go @@ -437,6 +437,10 @@ func (c *liveStateCache) getCluster(server string) (clustercache.ClusterCache, e return nil, fmt.Errorf("error getting cluster: %w", err) } + if c.clusterSharding == nil { + return nil, fmt.Errorf("unable to handle cluster %s: cluster sharding is not configured", cluster.Server) + } + if !c.canHandleCluster(cluster) { return nil, fmt.Errorf("controller is configured to ignore cluster %s", cluster.Server) } diff --git a/docs/operator-manual/server-commands/argocd-repo-server.md b/docs/operator-manual/server-commands/argocd-repo-server.md index 083bdc2a0a72a..0f824f494f2af 100644 --- a/docs/operator-manual/server-commands/argocd-repo-server.md +++ b/docs/operator-manual/server-commands/argocd-repo-server.md @@ -21,6 +21,7 @@ argocd-repo-server [flags] --disable-helm-manifest-max-extracted-size Disable maximum size of helm manifest archives when extracted --disable-tls Disable TLS on the gRPC endpoint --helm-manifest-max-extracted-size string Maximum size of helm manifest archives when extracted (default "1G") + --helm-registry-max-index-size string Maximum size of registry index file (default "1G") -h, --help help for argocd-repo-server --logformat string Set the logging format. One of: text|json (default "text") --loglevel string Set the logging level. One of: debug|info|warn|error (default "info") From 7deafc401462419e88bc90f51667d0bc74f16d0c Mon Sep 17 00:00:00 2001 From: Suraj yadav Date: Mon, 1 Apr 2024 07:46:36 +0530 Subject: [PATCH 13/14] feat(ui): metadata.annotations: too long message Improved (#17452) * metadata.annotations: too long Signed-off-by: Surajyadav * added as a default case Signed-off-by: Surajyadav --------- Signed-off-by: Surajyadav --- util/argo/argo.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/util/argo/argo.go b/util/argo/argo.go index 36e513cf0f534..ccc4fe81e94d2 100644 --- a/util/argo/argo.go +++ b/util/argo/argo.go @@ -52,6 +52,12 @@ func AugmentSyncMsg(res common.ResourceSyncResult, apiResourceInfoGetter func() } else { res.Message = fmt.Sprintf("The Kubernetes API could not find version %q of %s/%s for requested resource %s/%s. Version %q of %s/%s is installed on the destination cluster.", res.Version, res.ResourceKey.Group, res.ResourceKey.Kind, res.ResourceKey.Namespace, res.ResourceKey.Name, resource.GroupVersionResource.Version, resource.GroupKind.Group, resource.GroupKind.Kind) } + + default: + // Check if the message contains "metadata.annotation: Too long" + if strings.Contains(res.Message, "metadata.annotations: Too long: must have at most 262144 bytes") { + res.Message = fmt.Sprintf("%s \n -Additional Info: This error usually means that you are trying to add a large resource on client side. Consider using Server-side apply or syncing with replace enabled. Note: Syncing with Replace enabled is potentially destructive as it may cause resource deletion and re-creation.", res.Message) + } } return res.Message, nil From f287daba0da673c177ac7ea42f96c88ea2e4adca Mon Sep 17 00:00:00 2001 From: suhas-chikkanna <162577490+suhas-chikkanna@users.noreply.github.com> Date: Mon, 1 Apr 2024 20:38:38 +0530 Subject: [PATCH 14/14] chore: Update USERS.md (#17683) Add Shield.com as one of the users in the USER.md file Signed-off-by: suhas-chikkanna <162577490+suhas-chikkanna@users.noreply.github.com> --- USERS.md | 1 + 1 file changed, 1 insertion(+) diff --git a/USERS.md b/USERS.md index 09f25ea5bf006..6f35c32acb661 100644 --- a/USERS.md +++ b/USERS.md @@ -264,6 +264,7 @@ Currently, the following organizations are **officially** using Argo CD: 1. [SCRM Lidl International Hub](https://scrm.lidl) 1. [SEEK](https://seek.com.au) 1. [Semgrep](https://semgrep.com) +1. [Shield](https://shield.com) 1. [SI Analytics](https://si-analytics.ai) 1. [Skit](https://skit.ai/) 1. [Skyscanner](https://www.skyscanner.net/)