forked from wolfi-dev/advisories
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathargo-cd-2.12.advisories.yaml
More file actions
159 lines (151 loc) · 5.83 KB
/
argo-cd-2.12.advisories.yaml
File metadata and controls
159 lines (151 loc) · 5.83 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
schema-version: 2.0.2
package:
name: argo-cd-2.12
advisories:
- id: CGA-59fg-fwfg-r72p
aliases:
- CVE-2024-35255
- GHSA-m5vv-6r4h-3vj9
events:
- timestamp: 2024-08-06T23:01:36Z
type: detection
data:
type: scan/v1
data:
subpackageName: argo-cd-2.12
componentID: 6649e83b9b682b57
componentName: github.com/Azure/azure-sdk-for-go/sdk/azidentity
componentVersion: v1.1.0
componentType: go-module
componentLocation: /usr/bin/argocd
scanner: grype
- timestamp: 2024-08-16T12:45:37Z
type: pending-upstream-fix
data:
note: This vulnerability requires upstream changes to upgrade a strict dependency 'github.com/Azure/kubelogin' from the current v0.0.20 version to v0.1.3 which does not contain any vulnerable code.
- id: CGA-cqgw-hf7g-vm4x
aliases:
- CVE-2024-34155
- GHSA-8xfx-rj4p-23jm
events:
- timestamp: 2024-09-10T07:12:40Z
type: detection
data:
type: scan/v1
data:
subpackageName: argo-cd-2.12
componentID: 93ba1e2cd6e62782
componentName: stdlib
componentVersion: go1.23.0
componentType: go-module
componentLocation: /usr/bin/argocd
scanner: grype
- timestamp: 2024-09-12T00:39:32Z
type: fixed
data:
fixed-version: 2.12.3-r1
- id: CGA-vh5m-4339-22x7
aliases:
- CVE-2024-51744
- GHSA-29wx-vh33-7x7r
events:
- timestamp: 2024-11-05T09:11:08Z
type: detection
data:
type: scan/v1
data:
subpackageName: argo-cd-2.12-compat
componentID: 08c5531f09b43f1b
componentName: github.com/golang-jwt/jwt/v4
componentVersion: v4.5.0
componentType: go-module
componentLocation: /usr/local/bin/argocd
scanner: grype
- id: CGA-w23p-x3vf-72hx
aliases:
- CVE-2024-5321
- GHSA-82m2-cv7p-4m75
events:
- timestamp: 2024-08-06T23:01:35Z
type: detection
data:
type: scan/v1
data:
subpackageName: argo-cd-2.12
componentID: 61c300fe1902f686
componentName: k8s.io/kubernetes
componentVersion: v1.29.6
componentType: go-module
componentLocation: /usr/bin/argocd
scanner: grype
- timestamp: 2024-08-16T12:45:19Z
type: pending-upstream-fix
data:
note: This vulnerability requires code changes in the upstream repository and an upgrade of the used Kubernetes version with potential unexpected results.
- timestamp: 2024-09-12T00:39:32Z
type: fixed
data:
fixed-version: 2.12.3-r1
- id: CGA-x55r-5fg4-3vxv
aliases:
- CVE-2024-34156
- GHSA-crqm-pwhx-j97f
events:
- timestamp: 2024-09-10T07:12:42Z
type: detection
data:
type: scan/v1
data:
subpackageName: argo-cd-2.12
componentID: 93ba1e2cd6e62782
componentName: stdlib
componentVersion: go1.23.0
componentType: go-module
componentLocation: /usr/bin/argocd
scanner: grype
- timestamp: 2024-09-12T00:39:33Z
type: fixed
data:
fixed-version: 2.12.3-r1
- id: CGA-xvph-r2q6-xwhx
aliases:
- CVE-2024-34158
- GHSA-j7vj-rw65-4v26
events:
- timestamp: 2024-09-10T07:12:43Z
type: detection
data:
type: scan/v1
data:
subpackageName: argo-cd-2.12
componentID: 93ba1e2cd6e62782
componentName: stdlib
componentVersion: go1.23.0
componentType: go-module
componentLocation: /usr/bin/argocd
scanner: grype
- timestamp: 2024-09-12T00:39:33Z
type: fixed
data:
fixed-version: 2.12.3-r1
- id: CGA-pxc7-25w4-xvcr
aliases:
- CVE-2025-23216
- GHSA-47g2-qmh2-749v
events:
- timestamp: 2025-06-13T03:34:38Z
type: false-positive-determination
data:
type: inline-mitigations-exist
note: 'Vulnerability was fixed by upstream, vulnerablility data is not complete. Commit reference with fix: https://github.com/argoproj/argo-cd/commit/a9d8027d4a8bf3230e16063d4a24fbcaa3a8b457'
- timestamp: 2025-06-16T21:56:51Z
type: false-positive-determination
data:
type: vulnerable-code-not-included-in-package
note: |-
Argoproject has fixed CVE-2025-23216 in the GitOps Engine repository with commit https://github.com/argoproj/gitops-engine/commit/faf5a4e5c37d22fedaa2726b430af5b5ae9e567a.
However, a new version tag was never generated and versions of ArgoCD were updated with the specific hash but through "go get github.com/argoproj/gitops-engine@faf5a4e5c37d22fedaa2726b430af5b5ae9e567a" which
appends the date + hash on-top of the current version tag, in this case updated v0.7.1-0.20240714153147-adb68bcaab73 to v0.7.1-0.20250129155113-faf5a4e5c37d, which both versions still state v0.7.1 as vulnerable. This is due to
a limitation in scanners which utilize the semantic version to determine which versions are vulnerable and fixed. Chainguard has submitted a change request to Github tracking the vulnerablity information https://github.com/github/advisory-database/pull/5689
Also have submitted multiple issues with upstream Argoproject/Argo-CD: https://github.com/argoproj/gitops-engine/issues/736 and https://github.com/argoproj/gitops-engine/issues/729 so the Argoproject can address the issue.
Argo-CD version 2.11 contains the fix for this CVE as referenced by this version v0.7.1-0.20250129155113-faf5a4e5c37d or later