diff --git a/Dockerfile b/Dockerfile index 6ba69702b43e2..40736dfa8ebaf 100644 --- a/Dockerfile +++ b/Dockerfile @@ -83,7 +83,7 @@ WORKDIR /home/argocd #################################################################################################### # Argo CD UI stage #################################################################################################### -FROM --platform=$BUILDPLATFORM docker.io/library/node:21.6.2@sha256:65998e325b06014d4f1417a8a6afb1540d1ac66521cca76f2221a6953947f9ee AS argocd-ui +FROM --platform=$BUILDPLATFORM docker.io/library/node:21.7.0@sha256:104b26b5d34f9907f1f1e5e51fd9e557845f1a354f07ee9f28814dd9574a6154 AS argocd-ui WORKDIR /src COPY ["ui/package.json", "ui/yarn.lock", "./"] diff --git a/USERS.md b/USERS.md index 14cb981665f08..32f665c6e9bb1 100644 --- a/USERS.md +++ b/USERS.md @@ -44,6 +44,7 @@ Currently, the following organizations are **officially** using Argo CD: 1. [BMW Group](https://www.bmwgroup.com/) 1. [Boozt](https://www.booztgroup.com/) 1. [Boticario](https://www.boticario.com.br/) +1. [Broker Consulting, a.s.](https://www.bcas.cz/en/) 1. [Bulder Bank](https://bulderbank.no) 1. [CAM](https://cam-inc.co.jp) 1. [Camptocamp](https://camptocamp.com) diff --git a/cmd/argocd/commands/login.go b/cmd/argocd/commands/login.go index abb2b004291c2..2b356706a0792 100644 --- a/cmd/argocd/commands/login.go +++ b/cmd/argocd/commands/login.go @@ -31,6 +31,7 @@ import ( "github.com/argoproj/argo-cd/v2/util/localconfig" oidcutil "github.com/argoproj/argo-cd/v2/util/oidc" "github.com/argoproj/argo-cd/v2/util/rand" + oidcconfig "github.com/argoproj/argo-cd/v2/util/settings" ) // NewLoginCommand returns a new instance of `argocd login` command @@ -306,6 +307,7 @@ func oauth2Login( fmt.Printf("Opening browser for authentication\n") var url string + var oidcconfig oidcconfig.OIDCConfig grantType := oidcutil.InferGrantType(oidcConf) opts := []oauth2.AuthCodeOption{oauth2.AccessTypeOffline} if claimsRequested := oidcSettings.GetIDTokenClaims(); claimsRequested != nil { @@ -316,6 +318,9 @@ func oauth2Login( case oidcutil.GrantTypeAuthorizationCode: opts = append(opts, oauth2.SetAuthURLParam("code_challenge", codeChallenge)) opts = append(opts, oauth2.SetAuthURLParam("code_challenge_method", "S256")) + if oidcconfig.DomainHint != "" { + opts = append(opts, oauth2.SetAuthURLParam("domain_hint", oidcconfig.DomainHint)) + } url = oauth2conf.AuthCodeURL(stateNonce, opts...) case oidcutil.GrantTypeImplicit: url, err = oidcutil.ImplicitFlowURL(oauth2conf, stateNonce, opts...) diff --git a/docs/operator-manual/applicationset/Generators-Cluster.md b/docs/operator-manual/applicationset/Generators-Cluster.md index 3cdc5a3dade62..de769b94deed9 100644 --- a/docs/operator-manual/applicationset/Generators-Cluster.md +++ b/docs/operator-manual/applicationset/Generators-Cluster.md @@ -64,6 +64,7 @@ In this example, the cluster secret's `name` and `server` fields are used to pop A label selector may be used to narrow the scope of targeted clusters to only those matching a specific label: ```yaml +apiVersion: argoproj.io/v1alpha1 kind: ApplicationSet metadata: name: guestbook @@ -88,6 +89,7 @@ spec: This would match an Argo CD cluster secret containing: ```yaml +apiVersion: v1 kind: Secret data: # (... fields as above ...) diff --git a/docs/operator-manual/user-management/auth0.md b/docs/operator-manual/user-management/auth0.md index 411517df05e06..c20b5f5af30c9 100644 --- a/docs/operator-manual/user-management/auth0.md +++ b/docs/operator-manual/user-management/auth0.md @@ -39,6 +39,7 @@ data: issuer: https://..auth0.com/ clientID: clientSecret: + domain_hint: requestedScopes: - openid - profile diff --git a/docs/snyk/index.md b/docs/snyk/index.md index fb6b4e3ec5b22..59083b0522e46 100644 --- a/docs/snyk/index.md +++ b/docs/snyk/index.md @@ -17,8 +17,8 @@ recent minor releases. | [ui/yarn.lock](master/argocd-test.html) | 0 | 0 | 1 | 0 | | [dex:v2.38.0](master/ghcr.io_dexidp_dex_v2.38.0.html) | 0 | 0 | 2 | 2 | | [haproxy:2.6.14-alpine](master/haproxy_2.6.14-alpine.html) | 0 | 1 | 3 | 2 | -| [argocd:latest](master/quay.io_argoproj_argocd_latest.html) | 0 | 0 | 5 | 7 | -| [redis:7.0.15-alpine](master/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 1 | +| [argocd:latest](master/quay.io_argoproj_argocd_latest.html) | 0 | 0 | 3 | 9 | +| [redis:7.0.15-alpine](master/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 0 | | [install.yaml](master/argocd-iac-install.html) | - | - | - | - | | [namespace-install.yaml](master/argocd-iac-namespace-install.html) | - | - | - | - | @@ -30,7 +30,7 @@ recent minor releases. | [ui/yarn.lock](v2.11.0-rc3/argocd-test.html) | 0 | 0 | 1 | 0 | | [dex:v2.38.0](v2.11.0-rc3/ghcr.io_dexidp_dex_v2.38.0.html) | 0 | 0 | 2 | 2 | | [haproxy:2.6.14-alpine](v2.11.0-rc3/haproxy_2.6.14-alpine.html) | 0 | 1 | 3 | 2 | -| [argocd:v2.11.0-rc3](v2.11.0-rc3/quay.io_argoproj_argocd_v2.11.0-rc3.html) | 0 | 0 | 5 | 14 | +| [argocd:v2.11.0-rc3](v2.11.0-rc3/quay.io_argoproj_argocd_v2.11.0-rc3.html) | 0 | 0 | 3 | 16 | | [redis:7.0.14-alpine](v2.11.0-rc3/redis_7.0.14-alpine.html) | 0 | 0 | 2 | 2 | | [install.yaml](v2.11.0-rc3/argocd-iac-install.html) | - | - | - | - | | [namespace-install.yaml](v2.11.0-rc3/argocd-iac-namespace-install.html) | - | - | - | - | @@ -43,8 +43,8 @@ recent minor releases. | [ui/yarn.lock](v2.10.9/argocd-test.html) | 0 | 0 | 1 | 0 | | [dex:v2.37.0](v2.10.9/ghcr.io_dexidp_dex_v2.37.0.html) | 1 | 1 | 6 | 2 | | [haproxy:2.6.14-alpine](v2.10.9/haproxy_2.6.14-alpine.html) | 0 | 1 | 3 | 2 | -| [argocd:v2.10.9](v2.10.9/quay.io_argoproj_argocd_v2.10.9.html) | 0 | 0 | 5 | 14 | -| [redis:7.0.15-alpine](v2.10.9/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 1 | +| [argocd:v2.10.9](v2.10.9/quay.io_argoproj_argocd_v2.10.9.html) | 0 | 0 | 3 | 16 | +| [redis:7.0.15-alpine](v2.10.9/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 0 | | [install.yaml](v2.10.9/argocd-iac-install.html) | - | - | - | - | | [namespace-install.yaml](v2.10.9/argocd-iac-namespace-install.html) | - | - | - | - | @@ -56,8 +56,8 @@ recent minor releases. | [ui/yarn.lock](v2.9.14/argocd-test.html) | 0 | 0 | 1 | 0 | | [dex:v2.37.0](v2.9.14/ghcr.io_dexidp_dex_v2.37.0.html) | 1 | 1 | 6 | 2 | | [haproxy:2.6.14-alpine](v2.9.14/haproxy_2.6.14-alpine.html) | 0 | 1 | 3 | 2 | -| [argocd:v2.9.14](v2.9.14/quay.io_argoproj_argocd_v2.9.14.html) | 0 | 0 | 5 | 14 | -| [redis:7.0.15-alpine](v2.9.14/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 1 | +| [argocd:v2.9.14](v2.9.14/quay.io_argoproj_argocd_v2.9.14.html) | 0 | 0 | 3 | 16 | +| [redis:7.0.15-alpine](v2.9.14/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 0 | | [install.yaml](v2.9.14/argocd-iac-install.html) | - | - | - | - | | [namespace-install.yaml](v2.9.14/argocd-iac-namespace-install.html) | - | - | - | - | @@ -69,7 +69,7 @@ recent minor releases. | [ui/yarn.lock](v2.8.18/argocd-test.html) | 0 | 0 | 1 | 0 | | [dex:v2.37.0](v2.8.18/ghcr.io_dexidp_dex_v2.37.0.html) | 1 | 1 | 6 | 2 | | [haproxy:2.6.14-alpine](v2.8.18/haproxy_2.6.14-alpine.html) | 0 | 1 | 3 | 2 | -| [argocd:v2.8.18](v2.8.18/quay.io_argoproj_argocd_v2.8.18.html) | 0 | 0 | 5 | 14 | -| [redis:7.0.15-alpine](v2.8.18/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 1 | +| [argocd:v2.8.18](v2.8.18/quay.io_argoproj_argocd_v2.8.18.html) | 0 | 0 | 3 | 16 | +| [redis:7.0.15-alpine](v2.8.18/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 0 | | [install.yaml](v2.8.18/argocd-iac-install.html) | - | - | - | - | | [namespace-install.yaml](v2.8.18/argocd-iac-namespace-install.html) | - | - | - | - | diff --git a/docs/snyk/master/argocd-iac-install.html b/docs/snyk/master/argocd-iac-install.html index 0e4f29472e9bd..a9ce30ee9a437 100644 --- a/docs/snyk/master/argocd-iac-install.html +++ b/docs/snyk/master/argocd-iac-install.html @@ -456,7 +456,7 @@

Snyk test report

-

May 12th 2024, 12:17:58 am (UTC+00:00)

+

May 19th 2024, 12:17:37 am (UTC+00:00)

Scanned the following path: diff --git a/docs/snyk/master/argocd-iac-namespace-install.html b/docs/snyk/master/argocd-iac-namespace-install.html index ef78e6b3f1a92..2ecbdd43953e6 100644 --- a/docs/snyk/master/argocd-iac-namespace-install.html +++ b/docs/snyk/master/argocd-iac-namespace-install.html @@ -456,7 +456,7 @@

Snyk test report

-

May 12th 2024, 12:18:08 am (UTC+00:00)

+

May 19th 2024, 12:17:48 am (UTC+00:00)

Scanned the following path: diff --git a/docs/snyk/master/argocd-test.html b/docs/snyk/master/argocd-test.html index 52f41d2b0c437..692c13155cf62 100644 --- a/docs/snyk/master/argocd-test.html +++ b/docs/snyk/master/argocd-test.html @@ -456,7 +456,7 @@

Snyk test report

-

May 12th 2024, 12:16:01 am (UTC+00:00)

+

May 19th 2024, 12:15:42 am (UTC+00:00)

Scanned the following paths: @@ -469,7 +469,7 @@

Snyk test report

8 known vulnerabilities
164 vulnerable dependency paths
-
2060 dependencies
+
2056 dependencies
@@ -1115,7 +1115,7 @@

Detailed paths

Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 - github.com/argoproj/gitops-engine/pkg/sync/common@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/sync/common@#8a3ce6d85caa k8s.io/apimachinery/pkg/apis/meta/v1@0.29.2 @@ -1319,7 +1319,7 @@

Detailed paths

Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 - github.com/argoproj/gitops-engine/pkg/cache@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/cache@#8a3ce6d85caa k8s.io/kubectl/pkg/util/openapi@0.29.2 @@ -1336,7 +1336,7 @@

Detailed paths

Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 - github.com/argoproj/gitops-engine/pkg/sync@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/sync@#8a3ce6d85caa k8s.io/kubectl/pkg/util/openapi@0.29.2 @@ -1353,7 +1353,7 @@

Detailed paths

Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 - github.com/argoproj/gitops-engine/pkg/utils/kube@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/utils/kube@#8a3ce6d85caa k8s.io/kubectl/pkg/util/openapi@0.29.2 @@ -1527,7 +1527,7 @@

Detailed paths

Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 - github.com/argoproj/gitops-engine/pkg/sync/ignore@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/sync/ignore@#8a3ce6d85caa k8s.io/apimachinery/pkg/apis/meta/v1/unstructured@0.29.2 @@ -1546,7 +1546,7 @@

Detailed paths

Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 - github.com/argoproj/gitops-engine/pkg/sync/syncwaves@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/sync/syncwaves@#8a3ce6d85caa k8s.io/apimachinery/pkg/apis/meta/v1/unstructured@0.29.2 @@ -1565,7 +1565,7 @@

Detailed paths

Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 - github.com/argoproj/gitops-engine/pkg/utils/testing@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/utils/testing@#8a3ce6d85caa k8s.io/apimachinery/pkg/apis/meta/v1/unstructured@0.29.2 @@ -1660,7 +1660,7 @@

Detailed paths

Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 - github.com/argoproj/gitops-engine/pkg/health@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/health@#8a3ce6d85caa k8s.io/apimachinery/pkg/apis/meta/v1/unstructured@0.29.2 @@ -1850,9 +1850,9 @@

Detailed paths

Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 - github.com/argoproj/gitops-engine/pkg/health@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/health@#8a3ce6d85caa - github.com/argoproj/gitops-engine/pkg/utils/kube@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/utils/kube@#8a3ce6d85caa k8s.io/kubectl/pkg/util/openapi@0.29.2 @@ -1869,9 +1869,9 @@

Detailed paths

Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 - github.com/argoproj/gitops-engine/pkg/sync/common@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/sync/common@#8a3ce6d85caa - github.com/argoproj/gitops-engine/pkg/utils/kube@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/utils/kube@#8a3ce6d85caa k8s.io/kubectl/pkg/util/openapi@0.29.2 @@ -2021,7 +2021,7 @@

Detailed paths

Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 - github.com/argoproj/gitops-engine/pkg/diff@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/diff@#8a3ce6d85caa k8s.io/apimachinery/pkg/util/strategicpatch@0.29.2 @@ -2126,11 +2126,11 @@

Detailed paths

Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 - github.com/argoproj/gitops-engine/pkg/sync/hook@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/sync/hook@#8a3ce6d85caa - github.com/argoproj/gitops-engine/pkg/sync/hook/helm@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/sync/hook/helm@#8a3ce6d85caa - github.com/argoproj/gitops-engine/pkg/sync/common@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/sync/common@#8a3ce6d85caa k8s.io/apimachinery/pkg/apis/meta/v1@0.29.2 @@ -2516,13 +2516,13 @@

Detailed paths

Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 - github.com/argoproj/gitops-engine/pkg/sync/hook@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/sync/hook@#8a3ce6d85caa - github.com/argoproj/gitops-engine/pkg/sync/hook/helm@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/sync/hook/helm@#8a3ce6d85caa - github.com/argoproj/gitops-engine/pkg/sync/common@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/sync/common@#8a3ce6d85caa - github.com/argoproj/gitops-engine/pkg/utils/kube@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/utils/kube@#8a3ce6d85caa k8s.io/kubectl/pkg/util/openapi@0.29.2 @@ -2539,13 +2539,13 @@

Detailed paths

Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 - github.com/argoproj/gitops-engine/pkg/sync/syncwaves@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/sync/syncwaves@#8a3ce6d85caa - github.com/argoproj/gitops-engine/pkg/sync/hook/helm@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/sync/hook/helm@#8a3ce6d85caa - github.com/argoproj/gitops-engine/pkg/sync/common@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/sync/common@#8a3ce6d85caa - github.com/argoproj/gitops-engine/pkg/utils/kube@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/utils/kube@#8a3ce6d85caa k8s.io/kubectl/pkg/util/openapi@0.29.2 @@ -2562,7 +2562,7 @@

Detailed paths

Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 - github.com/argoproj/gitops-engine/pkg/diff@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/diff@#8a3ce6d85caa k8s.io/kubectl/pkg/cmd/util@0.29.2 @@ -2825,7 +2825,7 @@

Detailed paths

Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 - github.com/argoproj/gitops-engine/pkg/utils/kube/scheme@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/utils/kube/scheme@#8a3ce6d85caa k8s.io/kubernetes/pkg/apis/storage/install@1.29.2 @@ -2900,15 +2900,15 @@

Detailed paths

Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 - github.com/argoproj/gitops-engine/pkg/sync/ignore@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/sync/ignore@#8a3ce6d85caa - github.com/argoproj/gitops-engine/pkg/sync/hook@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/sync/hook@#8a3ce6d85caa - github.com/argoproj/gitops-engine/pkg/sync/hook/helm@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/sync/hook/helm@#8a3ce6d85caa - github.com/argoproj/gitops-engine/pkg/sync/common@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/sync/common@#8a3ce6d85caa - github.com/argoproj/gitops-engine/pkg/utils/kube@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/utils/kube@#8a3ce6d85caa k8s.io/kubectl/pkg/util/openapi@0.29.2 @@ -2950,7 +2950,7 @@

Detailed paths

Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 - github.com/argoproj/gitops-engine/pkg/cache@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/cache@#8a3ce6d85caa k8s.io/kubectl/pkg/util/openapi@0.29.2 @@ -2977,7 +2977,7 @@

Detailed paths

Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 - github.com/argoproj/gitops-engine/pkg/sync@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/sync@#8a3ce6d85caa k8s.io/kubectl/pkg/util/openapi@0.29.2 @@ -3004,7 +3004,7 @@

Detailed paths

Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 - github.com/argoproj/gitops-engine/pkg/utils/kube@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/utils/kube@#8a3ce6d85caa k8s.io/kubectl/pkg/util/openapi@0.29.2 diff --git a/docs/snyk/master/ghcr.io_dexidp_dex_v2.38.0.html b/docs/snyk/master/ghcr.io_dexidp_dex_v2.38.0.html index d1448b0869436..9a0c6f958ce7a 100644 --- a/docs/snyk/master/ghcr.io_dexidp_dex_v2.38.0.html +++ b/docs/snyk/master/ghcr.io_dexidp_dex_v2.38.0.html @@ -456,7 +456,7 @@

Snyk test report

-

May 12th 2024, 12:16:11 am (UTC+00:00)

+

May 19th 2024, 12:15:50 am (UTC+00:00)

Scanned the following paths: diff --git a/docs/snyk/master/haproxy_2.6.14-alpine.html b/docs/snyk/master/haproxy_2.6.14-alpine.html index c88335a9558c1..0505efdb92942 100644 --- a/docs/snyk/master/haproxy_2.6.14-alpine.html +++ b/docs/snyk/master/haproxy_2.6.14-alpine.html @@ -456,7 +456,7 @@

Snyk test report

-

May 12th 2024, 12:16:18 am (UTC+00:00)

+

May 19th 2024, 12:15:57 am (UTC+00:00)

Scanned the following path: diff --git a/docs/snyk/master/quay.io_argoproj_argocd_latest.html b/docs/snyk/master/quay.io_argoproj_argocd_latest.html index d7453ed035a19..09f43acec0de0 100644 --- a/docs/snyk/master/quay.io_argoproj_argocd_latest.html +++ b/docs/snyk/master/quay.io_argoproj_argocd_latest.html @@ -456,7 +456,7 @@

Snyk test report

-

May 12th 2024, 12:16:34 am (UTC+00:00)

+

May 19th 2024, 12:16:15 am (UTC+00:00)

Scanned the following paths: @@ -472,7 +472,7 @@

Snyk test report

20 known vulnerabilities
80 vulnerable dependency paths
-
2285 dependencies
+
2287 dependencies
@@ -845,7 +845,7 @@

References

-

CVE-2024-26458

+

CVE-2024-26462

@@ -1035,24 +1035,25 @@

Detailed paths

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

-

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.

+

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.

Remediation

There is no fixed version for Ubuntu:24.04 krb5.

References

-

More about this vulnerability

+

More about this vulnerability

-

CVE-2024-26462

+

LGPL-3.0 license

@@ -1063,21 +1064,21 @@

CVE-2024-26462

  • - Manifest file: quay.io/argoproj/argocd:latest/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:latest/argoproj/argo-cd/v2 /usr/local/bin/argocd
  • - Package Manager: ubuntu:24.04 + Package Manager: golang
  • - Vulnerable module: + Module: - krb5/libk5crypto3 + gopkg.in/retry.v1
  • Introduced through: + github.com/argoproj/argo-cd/v2@* and gopkg.in/retry.v1@v1.0.3 - docker-image|quay.io/argoproj/argocd@latest, git@1:2.43.0-1ubuntu7 and others
@@ -1089,146 +1090,69 @@

Detailed paths

  • Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - git@1:2.43.0-1ubuntu7 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 - - krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 + github.com/argoproj/argo-cd/v2@* - krb5/libk5crypto3@1.20.1-6ubuntu2 + gopkg.in/retry.v1@v1.0.3
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - git@1:2.43.0-1ubuntu7 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 - - krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 - - krb5/libkrb5-3@1.20.1-6ubuntu2 - - krb5/libk5crypto3@1.20.1-6ubuntu2 - - +
- -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - git@1:2.43.0-1ubuntu7 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 - - krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 - - krb5/libkrb5support0@1.20.1-6ubuntu2 - - +
    • - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - git@1:2.43.0-1ubuntu7 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 - - krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 - - krb5/libkrb5-3@1.20.1-6ubuntu2 - - krb5/libkrb5support0@1.20.1-6ubuntu2 - - +
    + +

    LGPL-3.0 license

    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - git@1:2.43.0-1ubuntu7 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 - - krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 - - krb5/libkrb5-3@1.20.1-6ubuntu2 - - krb5/libk5crypto3@1.20.1-6ubuntu2 - - krb5/libkrb5support0@1.20.1-6ubuntu2 - - +
    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - git@1:2.43.0-1ubuntu7 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 - - krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 - - krb5/libkrb5-3@1.20.1-6ubuntu2 - - +
    +

    More about this vulnerability

    +
    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - openssh/openssh-client@1:9.6p1-3ubuntu13 - - krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 - - +
    • +
    +

    MPL-2.0 license

    +
    - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - git@1:2.43.0-1ubuntu7 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 - - krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 - - +
    + medium severity +
    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - git@1:2.43.0-1ubuntu7 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 - - libssh/libssh-4@0.10.6-2build2 - - krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 - - +
    -
    • +
      +
    • + Manifest file: quay.io/argoproj/argocd:latest/argoproj/argo-cd/v2 /usr/local/bin/argocd +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/r3labs/diff +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v2@* and github.com/r3labs/diff@v1.1.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
    -

    CVE-2024-26461

    +

    MPL-2.0 license

    @@ -1270,21 +1184,21 @@

    CVE-2024-26461

    • - Manifest file: quay.io/argoproj/argocd:latest/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:latest/argoproj/argo-cd/v2 /usr/local/bin/argocd
    • - Package Manager: ubuntu:24.04 + Package Manager: golang
    • - Vulnerable module: + Module: - krb5/libk5crypto3 + github.com/hashicorp/go-version
    • Introduced through: + github.com/argoproj/argo-cd/v2@* and github.com/hashicorp/go-version@v1.6.0 - docker-image|quay.io/argoproj/argocd@latest, git@1:2.43.0-1ubuntu7 and others
    @@ -1296,177 +1210,30 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - git@1:2.43.0-1ubuntu7 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 - - krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 + github.com/argoproj/argo-cd/v2@* - krb5/libk5crypto3@1.20.1-6ubuntu2 + github.com/hashicorp/go-version@v1.6.0
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - git@1:2.43.0-1ubuntu7 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 - - krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 - - krb5/libkrb5-3@1.20.1-6ubuntu2 - - krb5/libk5crypto3@1.20.1-6ubuntu2 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - git@1:2.43.0-1ubuntu7 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 - - krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 - - krb5/libkrb5support0@1.20.1-6ubuntu2 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - git@1:2.43.0-1ubuntu7 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 - - krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 - - krb5/libkrb5-3@1.20.1-6ubuntu2 - - krb5/libkrb5support0@1.20.1-6ubuntu2 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - git@1:2.43.0-1ubuntu7 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 - - krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 - - krb5/libkrb5-3@1.20.1-6ubuntu2 - - krb5/libk5crypto3@1.20.1-6ubuntu2 - - krb5/libkrb5support0@1.20.1-6ubuntu2 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - git@1:2.43.0-1ubuntu7 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 - - krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 - - krb5/libkrb5-3@1.20.1-6ubuntu2 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - openssh/openssh-client@1:9.6p1-3ubuntu13 - - krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - git@1:2.43.0-1ubuntu7 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 - - krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - git@1:2.43.0-1ubuntu7 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 - - libssh/libssh-4@0.10.6-2build2 - - krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - krb5/krb5-locales@1.20.1-6ubuntu2 - - - -
      • -
    +
    -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    -

    Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:24.04 krb5.

    -

    References

    - +

    MPL-2.0 license

    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    LGPL-3.0 license

    +

    MPL-2.0 license

    @@ -1485,12 +1252,12 @@

    LGPL-3.0 license

  • Module: - gopkg.in/retry.v1 + github.com/hashicorp/go-retryablehttp
  • Introduced through: - github.com/argoproj/argo-cd/v2@* and gopkg.in/retry.v1@v1.0.3 + github.com/argoproj/argo-cd/v2@* and github.com/hashicorp/go-retryablehttp@v0.7.4
    • @@ -1505,7 +1272,7 @@

    Detailed paths

    Introduced through: github.com/argoproj/argo-cd/v2@* - gopkg.in/retry.v1@v1.0.3 + github.com/hashicorp/go-retryablehttp@v0.7.4 @@ -1516,12 +1283,12 @@

    Detailed paths

    -

    LGPL-3.0 license

    +

    MPL-2.0 license

    -

    More about this vulnerability

    +

    More about this vulnerability

    @@ -1537,7 +1304,7 @@

    MPL-2.0 license

    • - Manifest file: quay.io/argoproj/argocd:latest/argoproj/argo-cd/v2 /usr/local/bin/argocd + Manifest file: quay.io/argoproj/argocd:latest/helm/v3 /usr/local/bin/helm
    • Package Manager: golang @@ -1545,12 +1312,12 @@

      MPL-2.0 license

    • Module: - github.com/r3labs/diff + github.com/hashicorp/go-multierror
    • Introduced through: - github.com/argoproj/argo-cd/v2@* and github.com/r3labs/diff@v1.1.0 + helm.sh/helm/v3@* and github.com/hashicorp/go-multierror@v1.1.1
    @@ -1563,9 +1330,9 @@

    Detailed paths

    @@ -1605,12 +1372,12 @@

    MPL-2.0 license

  • Module: - github.com/hashicorp/go-version + github.com/hashicorp/go-cleanhttp
  • Introduced through: - github.com/argoproj/argo-cd/v2@* and github.com/hashicorp/go-version@v1.6.0 + github.com/argoproj/argo-cd/v2@* and github.com/hashicorp/go-cleanhttp@v0.5.2
    • @@ -1625,7 +1392,7 @@

    Detailed paths

    Introduced through: github.com/argoproj/argo-cd/v2@* - github.com/hashicorp/go-version@v1.6.0 + github.com/hashicorp/go-cleanhttp@v0.5.2 @@ -1641,7 +1408,7 @@

    Detailed paths

    -

    More about this vulnerability

    +

    More about this vulnerability

    @@ -1665,12 +1432,12 @@

    MPL-2.0 license

  • Module: - github.com/hashicorp/go-retryablehttp + github.com/gosimple/slug
  • Introduced through: - github.com/argoproj/argo-cd/v2@* and github.com/hashicorp/go-retryablehttp@v0.7.4 + github.com/argoproj/argo-cd/v2@* and github.com/gosimple/slug@v1.13.1
    • @@ -1685,7 +1452,7 @@

    Detailed paths

    Introduced through: github.com/argoproj/argo-cd/v2@* - github.com/hashicorp/go-retryablehttp@v0.7.4 + github.com/gosimple/slug@v1.13.1 @@ -1701,36 +1468,36 @@

    Detailed paths

    -

    More about this vulnerability

    +

    More about this vulnerability

    -
    -

    MPL-2.0 license

    +
    +

    CVE-2023-7008

    -
    - medium severity +
    + low severity
    • - Manifest file: quay.io/argoproj/argocd:latest/helm/v3 /usr/local/bin/helm + Manifest file: quay.io/argoproj/argocd:latest/argoproj/argocd Dockerfile
    • - Package Manager: golang + Package Manager: ubuntu:24.04
    • - Module: + Vulnerable module: - github.com/hashicorp/go-multierror + systemd/libsystemd0
    • Introduced through: - helm.sh/helm/v3@* and github.com/hashicorp/go-multierror@v1.1.1 + docker-image|quay.io/argoproj/argocd@latest and systemd/libsystemd0@255.4-1ubuntu8
    @@ -1743,213 +1510,33 @@

    Detailed paths

    • Introduced through: - helm.sh/helm/v3@* + docker-image|quay.io/argoproj/argocd@latest - github.com/hashicorp/go-multierror@v1.1.1 + systemd/libsystemd0@255.4-1ubuntu8
      • -
    - -
    - -
    - -

    MPL-2.0 license

    - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    MPL-2.0 license

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:latest/argoproj/argo-cd/v2 /usr/local/bin/argocd -
      • -
    • - Package Manager: golang -
      • -
    • - Module: - - github.com/hashicorp/go-cleanhttp -
      • - -
    • Introduced through: - - github.com/argoproj/argo-cd/v2@* and github.com/hashicorp/go-cleanhttp@v0.5.2 - -
      • -
    - -
    - - -

    Detailed paths

    - -
    • Introduced through: - github.com/argoproj/argo-cd/v2@* + docker-image|quay.io/argoproj/argocd@latest - github.com/hashicorp/go-cleanhttp@v0.5.2 + apt@2.7.14build2 + + systemd/libsystemd0@255.4-1ubuntu8
      • -
    - -
    - -
    - -

    MPL-2.0 license

    - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    MPL-2.0 license

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:latest/argoproj/argo-cd/v2 /usr/local/bin/argocd -
      • -
    • - Package Manager: golang -
      • -
    • - Module: - - github.com/gosimple/slug -
      • - -
    • Introduced through: - - github.com/argoproj/argo-cd/v2@* and github.com/gosimple/slug@v1.13.1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/argoproj/argo-cd/v2@* - - github.com/gosimple/slug@v1.13.1 - - - -
      • -
    - -
    - -
    - -

    MPL-2.0 license

    - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2023-7008

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:latest/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:24.04 -
      • -
    • - Vulnerable module: - - systemd/libsystemd0 -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@latest and systemd/libsystemd0@255.4-1ubuntu8 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - systemd/libsystemd0@255.4-1ubuntu8 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - apt@2.7.14build2 - - systemd/libsystemd0@255.4-1ubuntu8 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - procps/libproc2-0@2:4.0.4-4ubuntu3 - - systemd/libsystemd0@255.4-1ubuntu8 - - +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + procps/libproc2-0@2:4.0.4-4ubuntu3 + + systemd/libsystemd0@255.4-1ubuntu8 + +
    • @@ -2253,6 +1840,422 @@

      References

      More about this vulnerability

    +
    +
    +

    CVE-2024-26458

    +
    + +
    + low severity +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:latest/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:24.04 +
      • +
    • + Vulnerable module: + + krb5/libk5crypto3 +
      • + +
    • Introduced through: + + + docker-image|quay.io/argoproj/argocd@latest, git@1:2.43.0-1ubuntu7 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + git@1:2.43.0-1ubuntu7 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 + + krb5/libk5crypto3@1.20.1-6ubuntu2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + git@1:2.43.0-1ubuntu7 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 + + krb5/libkrb5-3@1.20.1-6ubuntu2 + + krb5/libk5crypto3@1.20.1-6ubuntu2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + git@1:2.43.0-1ubuntu7 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 + + krb5/libkrb5support0@1.20.1-6ubuntu2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + git@1:2.43.0-1ubuntu7 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 + + krb5/libkrb5-3@1.20.1-6ubuntu2 + + krb5/libkrb5support0@1.20.1-6ubuntu2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + git@1:2.43.0-1ubuntu7 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 + + krb5/libkrb5-3@1.20.1-6ubuntu2 + + krb5/libk5crypto3@1.20.1-6ubuntu2 + + krb5/libkrb5support0@1.20.1-6ubuntu2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + git@1:2.43.0-1ubuntu7 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 + + krb5/libkrb5-3@1.20.1-6ubuntu2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + openssh/openssh-client@1:9.6p1-3ubuntu13 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + git@1:2.43.0-1ubuntu7 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + git@1:2.43.0-1ubuntu7 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 + + libssh/libssh-4@0.10.6-2build2 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + krb5/krb5-locales@1.20.1-6ubuntu2 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    +

    Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:24.04 krb5.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2024-26461

    +
    + +
    + low severity +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:latest/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:24.04 +
      • +
    • + Vulnerable module: + + krb5/libk5crypto3 +
      • + +
    • Introduced through: + + + docker-image|quay.io/argoproj/argocd@latest, git@1:2.43.0-1ubuntu7 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + git@1:2.43.0-1ubuntu7 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 + + krb5/libk5crypto3@1.20.1-6ubuntu2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + git@1:2.43.0-1ubuntu7 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 + + krb5/libkrb5-3@1.20.1-6ubuntu2 + + krb5/libk5crypto3@1.20.1-6ubuntu2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + git@1:2.43.0-1ubuntu7 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 + + krb5/libkrb5support0@1.20.1-6ubuntu2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + git@1:2.43.0-1ubuntu7 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 + + krb5/libkrb5-3@1.20.1-6ubuntu2 + + krb5/libkrb5support0@1.20.1-6ubuntu2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + git@1:2.43.0-1ubuntu7 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 + + krb5/libkrb5-3@1.20.1-6ubuntu2 + + krb5/libk5crypto3@1.20.1-6ubuntu2 + + krb5/libkrb5support0@1.20.1-6ubuntu2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + git@1:2.43.0-1ubuntu7 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 + + krb5/libkrb5-3@1.20.1-6ubuntu2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + openssh/openssh-client@1:9.6p1-3ubuntu13 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + git@1:2.43.0-1ubuntu7 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + git@1:2.43.0-1ubuntu7 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 + + libssh/libssh-4@0.10.6-2build2 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + krb5/krb5-locales@1.20.1-6ubuntu2 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    +

    Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:24.04 krb5.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    +

    Out-of-bounds Write

    diff --git a/docs/snyk/master/redis_7.0.15-alpine.html b/docs/snyk/master/redis_7.0.15-alpine.html index a0b91c7029d69..9fee829178109 100644 --- a/docs/snyk/master/redis_7.0.15-alpine.html +++ b/docs/snyk/master/redis_7.0.15-alpine.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:16:40 am (UTC+00:00)

    +

    May 19th 2024, 12:16:21 am (UTC+00:00)

    Scanned the following paths: @@ -467,8 +467,8 @@

    Snyk test report

    -
    1 known vulnerabilities
    -
    9 vulnerable dependency paths
    +
    0 known vulnerabilities
    +
    0 vulnerable dependency paths
    19 dependencies
    @@ -476,182 +476,7 @@

    Snyk test report

    -
    -
    -

    CVE-2024-2511

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Package Manager: alpine:3.19 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|redis@7.0.15-alpine and openssl/libcrypto3@3.1.4-r5 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - openssl/libcrypto3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - .redis-rundeps@20240315.235535 - - openssl/libcrypto3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - apk-tools/apk-tools@2.14.0-r5 - - openssl/libcrypto3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - busybox/ssl_client@1.36.1-r15 - - openssl/libcrypto3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - .redis-rundeps@20240315.235535 - - openssl/libssl3@3.1.4-r5 - - openssl/libcrypto3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - openssl/libssl3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - .redis-rundeps@20240315.235535 - - openssl/libssl3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - apk-tools/apk-tools@2.14.0-r5 - - openssl/libssl3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - busybox/ssl_client@1.36.1-r15 - - openssl/libssl3@3.1.4-r5 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. - See How to fix? for Alpine:3.19 relevant fixed versions and status.

    -

    Issue summary: Some non-default TLS server configurations can cause unbounded - memory growth when processing TLSv1.3 sessions

    -

    Impact summary: An attacker may exploit certain server configurations to trigger - unbounded memory growth that would lead to a Denial of Service

    -

    This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is - being used (but not if early_data support is also configured and the default - anti-replay protection is in use). In this case, under certain conditions, the - session cache can get into an incorrect state and it will fail to flush properly - as it fills. The session cache will continue to grow in an unbounded manner. A - malicious client could deliberately create the scenario for this failure to - force a Denial of Service. It may also happen by accident in normal operation.

    -

    This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS - clients.

    -

    The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL - 1.0.2 is also not affected by this issue.

    -

    Remediation

    -

    Upgrade Alpine:3.19 openssl to version 3.1.4-r6 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    + No known vulnerabilities detected.
    diff --git a/docs/snyk/v2.10.9/argocd-iac-install.html b/docs/snyk/v2.10.9/argocd-iac-install.html index 946bc64c22e02..1b9a9efab0dce 100644 --- a/docs/snyk/v2.10.9/argocd-iac-install.html +++ b/docs/snyk/v2.10.9/argocd-iac-install.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:22:26 am (UTC+00:00)

    +

    May 19th 2024, 12:22:08 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v2.10.9/argocd-iac-namespace-install.html b/docs/snyk/v2.10.9/argocd-iac-namespace-install.html index 34954868435f4..54b01665ce718 100644 --- a/docs/snyk/v2.10.9/argocd-iac-namespace-install.html +++ b/docs/snyk/v2.10.9/argocd-iac-namespace-install.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:22:35 am (UTC+00:00)

    +

    May 19th 2024, 12:22:17 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v2.10.9/argocd-test.html b/docs/snyk/v2.10.9/argocd-test.html index 35bb83c34afba..f8505a7feefae 100644 --- a/docs/snyk/v2.10.9/argocd-test.html +++ b/docs/snyk/v2.10.9/argocd-test.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:20:34 am (UTC+00:00)

    +

    May 19th 2024, 12:20:12 am (UTC+00:00)

    Scanned the following paths: diff --git a/docs/snyk/v2.10.9/ghcr.io_dexidp_dex_v2.37.0.html b/docs/snyk/v2.10.9/ghcr.io_dexidp_dex_v2.37.0.html index 7c9ad71eb2223..89c9d85876d02 100644 --- a/docs/snyk/v2.10.9/ghcr.io_dexidp_dex_v2.37.0.html +++ b/docs/snyk/v2.10.9/ghcr.io_dexidp_dex_v2.37.0.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:20:41 am (UTC+00:00)

    +

    May 19th 2024, 12:20:20 am (UTC+00:00)

    Scanned the following paths: diff --git a/docs/snyk/v2.10.9/haproxy_2.6.14-alpine.html b/docs/snyk/v2.10.9/haproxy_2.6.14-alpine.html index b0def3340ca0e..fa1114b09e35c 100644 --- a/docs/snyk/v2.10.9/haproxy_2.6.14-alpine.html +++ b/docs/snyk/v2.10.9/haproxy_2.6.14-alpine.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:20:44 am (UTC+00:00)

    +

    May 19th 2024, 12:20:24 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v2.10.9/quay.io_argoproj_argocd_v2.10.9.html b/docs/snyk/v2.10.9/quay.io_argoproj_argocd_v2.10.9.html index 3bc3e86dcf416..e2bb4ee040fca 100644 --- a/docs/snyk/v2.10.9/quay.io_argoproj_argocd_v2.10.9.html +++ b/docs/snyk/v2.10.9/quay.io_argoproj_argocd_v2.10.9.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:21:02 am (UTC+00:00)

    +

    May 19th 2024, 12:20:43 am (UTC+00:00)

    Scanned the following paths: @@ -850,7 +850,7 @@

    References

    -

    CVE-2024-26461

    +

    CVE-2024-26462

    @@ -1053,24 +1053,25 @@

    Detailed paths

    NVD Description

    Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.

    +

    Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.

    Remediation

    There is no fixed version for Ubuntu:22.04 krb5.

    References

    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    CVE-2024-26462

    +

    LGPL-3.0 license

    @@ -1081,20 +1082,20 @@

    CVE-2024-26462

    • - Manifest file: quay.io/argoproj/argocd:v2.10.9/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.10.9/argoproj/argo-cd/v2 /usr/local/bin/argocd
    • - Package Manager: ubuntu:22.04 + Package Manager: golang
    • - Vulnerable module: + Module: - krb5/libk5crypto3 + gopkg.in/retry.v1
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 and krb5/libk5crypto3@1.19.2-2ubuntu0.3 + github.com/argoproj/argo-cd/v2@* and gopkg.in/retry.v1@v1.0.3
    @@ -1107,159 +1108,69 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 + github.com/argoproj/argo-cd/v2@* - krb5/libk5crypto3@1.19.2-2ubuntu0.3 + gopkg.in/retry.v1@v1.0.3
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libk5crypto3@1.19.2-2ubuntu0.3 - - +
    - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - krb5/libk5crypto3@1.19.2-2ubuntu0.3 - - +
    • - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - +
    + +

    LGPL-3.0 license

    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - +
    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - +
    +

    More about this vulnerability

    +
    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 - - openssh/openssh-client@1:8.9p1-3ubuntu0.7 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - +
    • +
    +

    Infinite loop

    +
    - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 - - git@1:2.34.1-1ubuntu1.10 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - +
    + medium severity +
    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 - - git@1:2.34.1-1ubuntu1.10 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - - libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - +
    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - +
      +
    • + Manifest file: quay.io/argoproj/argocd:v2.10.9/argoproj/argo-cd/v2 /usr/local/bin/argocd +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: -
      • + google.golang.org/protobuf/internal/encoding/json + + +
    • Introduced through: + + github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/internal/encoding/json@v1.31.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 + github.com/argoproj/argo-cd/v2@* - krb5/libkrb5support0@1.19.2-2ubuntu0.3 + google.golang.org/protobuf/internal/encoding/json@v1.31.0 @@ -1270,27 +1181,28 @@

      Detailed paths

      -

      NVD Description

      -

      Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

      -

      Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.

      +

      Overview

      +

      Affected versions of this package are vulnerable to Infinite loop via the protojson.Unmarshal function. An attacker can cause a denial of service condition by unmarshaling certain forms of invalid JSON.

      +

      Note:

      +

      This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

      Remediation

      -

      There is no fixed version for Ubuntu:22.04 krb5.

      +

      Upgrade google.golang.org/protobuf/internal/encoding/json to version 1.33.0 or higher.

      References

      -

      More about this vulnerability

      +

      More about this vulnerability

    • -

    CVE-2024-26458

    +

    Stack-based Buffer Overflow

    @@ -1301,20 +1213,20 @@

    CVE-2024-26458

    • - Manifest file: quay.io/argoproj/argocd:v2.10.9/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.10.9/argoproj/argo-cd/v2 /usr/local/bin/argocd
    • - Package Manager: ubuntu:22.04 + Package Manager: golang
    • Vulnerable module: - krb5/libk5crypto3 + google.golang.org/protobuf/encoding/protojson
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 and krb5/libk5crypto3@1.19.2-2ubuntu0.3 + github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/encoding/protojson@v1.31.0
    @@ -1327,190 +1239,38 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 + github.com/argoproj/argo-cd/v2@* - krb5/libk5crypto3@1.19.2-2ubuntu0.3 + google.golang.org/protobuf/encoding/protojson@v1.31.0
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libk5crypto3@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - krb5/libk5crypto3@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 - - openssh/openssh-client@1:8.9p1-3ubuntu0.7 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 - - git@1:2.34.1-1ubuntu1.10 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 - - git@1:2.34.1-1ubuntu1.10 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - - libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 - - krb5/libkrb5support0@1.19.2-2ubuntu0.3 - - - -
      • -
    +
    -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.

    +

    Overview

    +

    Affected versions of this package are vulnerable to Stack-based Buffer Overflow when processing input that uses pathologically deep nesting.

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 krb5.

    +

    Upgrade google.golang.org/protobuf/encoding/protojson to version 1.32.0 or higher.

    References

    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    LGPL-3.0 license

    +

    Infinite loop

    @@ -1527,14 +1287,14 @@

    LGPL-3.0 license

    Package Manager: golang
  • - Module: + Vulnerable module: - gopkg.in/retry.v1 + google.golang.org/protobuf/encoding/protojson
  • Introduced through: - github.com/argoproj/argo-cd/v2@* and gopkg.in/retry.v1@v1.0.3 + github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/encoding/protojson@v1.31.0
    • @@ -1549,7 +1309,7 @@

    Detailed paths

    Introduced through: github.com/argoproj/argo-cd/v2@* - gopkg.in/retry.v1@v1.0.3 + google.golang.org/protobuf/encoding/protojson@v1.31.0 @@ -1560,17 +1320,28 @@

    Detailed paths

    -

    LGPL-3.0 license

    +

    Overview

    +

    Affected versions of this package are vulnerable to Infinite loop via the protojson.Unmarshal function. An attacker can cause a denial of service condition by unmarshaling certain forms of invalid JSON.

    +

    Note:

    +

    This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

    +

    Remediation

    +

    Upgrade google.golang.org/protobuf/encoding/protojson to version 1.33.0 or higher.

    +

    References

    +
    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    Infinite loop

    +

    Authentication Bypass by Capture-replay

    @@ -1589,12 +1360,12 @@

    Infinite loop

  • Vulnerable module: - google.golang.org/protobuf/internal/encoding/json + golang.org/x/crypto/ssh
  • Introduced through: - github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/internal/encoding/json@v1.31.0 + github.com/argoproj/argo-cd/v2@* and golang.org/x/crypto/ssh@v0.16.0
    • @@ -1609,7 +1380,7 @@

    Detailed paths

    Introduced through: github.com/argoproj/argo-cd/v2@* - google.golang.org/protobuf/internal/encoding/json@v1.31.0 + golang.org/x/crypto/ssh@v0.16.0 @@ -1621,27 +1392,54 @@

    Detailed paths

    Overview

    -

    Affected versions of this package are vulnerable to Infinite loop via the protojson.Unmarshal function. An attacker can cause a denial of service condition by unmarshaling certain forms of invalid JSON.

    +

    golang.org/x/crypto/ssh is a SSH client and server

    +

    Affected versions of this package are vulnerable to Authentication Bypass by Capture-replay during the establishment of the secure channel. An attacker can manipulate handshake sequence numbers to delete messages sent immediately after the channel is established.

    Note:

    -

    This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

    +
      +

    1. Sequence numbers are only validated once the channel is established and arbitrary messages are allowed during the handshake, allowing them to manipulate the sequence numbers.

      +
      2. +

    2. The potential consequences of the general Terrapin attack are dependent on the messages exchanged after the handshake concludes. If you are using a custom SSH service and do not resort to the authentication protocol, you should check that dropping the first few messages of a connection does not yield security risks.

      +
      3. +
    +

    Impact:

    +

    While cryptographically novel, there is no discernable impact on the integrity of SSH traffic beyond giving the attacker the ability to delete the message that enables some features related to keystroke timing obfuscation. To successfully carry out the exploitation, the connection needs to be protected using either the ChaCha20-Poly1305 or CBC with Encrypt-then-MAC encryption methods. The attacker must also be able to intercept and modify the connection's traffic.

    +

    Workaround

    +

    Temporarily disable the affected chacha20-poly1305@openssh.com encryption and *-etm@openssh.com MAC algorithms in the affected configuration, and use unaffected algorithms like AES-GCM instead.

    Remediation

    -

    Upgrade google.golang.org/protobuf/internal/encoding/json to version 1.33.0 or higher.

    +

    Upgrade golang.org/x/crypto/ssh to version 0.17.0 or higher.

    References

    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    Stack-based Buffer Overflow

    +

    MPL-2.0 license

    @@ -1658,14 +1456,14 @@

    Stack-based Buffer Overflow

    Package Manager: golang
  • - Vulnerable module: + Module: - google.golang.org/protobuf/encoding/protojson + github.com/r3labs/diff
  • Introduced through: - github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/encoding/protojson@v1.31.0 + github.com/argoproj/argo-cd/v2@* and github.com/r3labs/diff@v1.1.0
    • @@ -1680,7 +1478,7 @@

    Detailed paths

    Introduced through: github.com/argoproj/argo-cd/v2@* - google.golang.org/protobuf/encoding/protojson@v1.31.0 + github.com/r3labs/diff@v1.1.0 @@ -1691,25 +1489,17 @@

    Detailed paths

    -

    Overview

    -

    Affected versions of this package are vulnerable to Stack-based Buffer Overflow when processing input that uses pathologically deep nesting.

    -

    Remediation

    -

    Upgrade google.golang.org/protobuf/encoding/protojson to version 1.32.0 or higher.

    -

    References

    - +

    MPL-2.0 license

    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    Infinite loop

    +

    MPL-2.0 license

    @@ -1726,14 +1516,14 @@

    Infinite loop

    Package Manager: golang
  • - Vulnerable module: + Module: - google.golang.org/protobuf/encoding/protojson + github.com/hashicorp/go-version
  • Introduced through: - github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/encoding/protojson@v1.31.0 + github.com/argoproj/argo-cd/v2@* and github.com/hashicorp/go-version@v1.2.1
    • @@ -1748,236 +1538,7 @@

    Detailed paths

    Introduced through: github.com/argoproj/argo-cd/v2@* - google.golang.org/protobuf/encoding/protojson@v1.31.0 - - - - - - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Infinite loop via the protojson.Unmarshal function. An attacker can cause a denial of service condition by unmarshaling certain forms of invalid JSON.

    -

    Note:

    -

    This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

    -

    Remediation

    -

    Upgrade google.golang.org/protobuf/encoding/protojson to version 1.33.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Authentication Bypass by Capture-replay

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.10.9/argoproj/argo-cd/v2 /usr/local/bin/argocd -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/crypto/ssh -
      • - -
    • Introduced through: - - github.com/argoproj/argo-cd/v2@* and golang.org/x/crypto/ssh@v0.16.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/argoproj/argo-cd/v2@* - - golang.org/x/crypto/ssh@v0.16.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    golang.org/x/crypto/ssh is a SSH client and server

    -

    Affected versions of this package are vulnerable to Authentication Bypass by Capture-replay during the establishment of the secure channel. An attacker can manipulate handshake sequence numbers to delete messages sent immediately after the channel is established.

    -

    Note:

    -
      -

    1. Sequence numbers are only validated once the channel is established and arbitrary messages are allowed during the handshake, allowing them to manipulate the sequence numbers.

      -
      2. -

    2. The potential consequences of the general Terrapin attack are dependent on the messages exchanged after the handshake concludes. If you are using a custom SSH service and do not resort to the authentication protocol, you should check that dropping the first few messages of a connection does not yield security risks.

      -
      3. -
    -

    Impact:

    -

    While cryptographically novel, there is no discernable impact on the integrity of SSH traffic beyond giving the attacker the ability to delete the message that enables some features related to keystroke timing obfuscation. To successfully carry out the exploitation, the connection needs to be protected using either the ChaCha20-Poly1305 or CBC with Encrypt-then-MAC encryption methods. The attacker must also be able to intercept and modify the connection's traffic.

    -

    Workaround

    -

    Temporarily disable the affected chacha20-poly1305@openssh.com encryption and *-etm@openssh.com MAC algorithms in the affected configuration, and use unaffected algorithms like AES-GCM instead.

    -

    Remediation

    -

    Upgrade golang.org/x/crypto/ssh to version 0.17.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    MPL-2.0 license

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.10.9/argoproj/argo-cd/v2 /usr/local/bin/argocd -
      • -
    • - Package Manager: golang -
      • -
    • - Module: - - github.com/r3labs/diff -
      • - -
    • Introduced through: - - github.com/argoproj/argo-cd/v2@* and github.com/r3labs/diff@v1.1.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/argoproj/argo-cd/v2@* - - github.com/r3labs/diff@v1.1.0 - - - -
      • -
    - -
    - -
    - -

    MPL-2.0 license

    - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    MPL-2.0 license

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.10.9/argoproj/argo-cd/v2 /usr/local/bin/argocd -
      • -
    • - Package Manager: golang -
      • -
    • - Module: - - github.com/hashicorp/go-version -
      • - -
    • Introduced through: - - github.com/argoproj/argo-cd/v2@* and github.com/hashicorp/go-version@v1.2.1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/argoproj/argo-cd/v2@* - - github.com/hashicorp/go-version@v1.2.1 + github.com/hashicorp/go-version@v1.2.1 @@ -2702,20 +2263,620 @@

      Release of Invalid Pointer or Reference

      docker-image|quay.io/argoproj/argocd@v2.10.9 and patch@2.7.6-7build2 -
      • -
    + + + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + patch@2.7.6-7build2 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream patch package and not the patch package as distributed by Ubuntu. + See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    +

    An Invalid Pointer vulnerability exists in GNU patch 2.7 via the another_hunk function, which causes a Denial of Service.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:22.04 patch.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Double Free

    +
    + +
    + low severity +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v2.10.9/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:22.04 +
      • +
    • + Vulnerable module: + + patch +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v2.10.9 and patch@2.7.6-7build2 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + patch@2.7.6-7build2 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream patch package and not the patch package as distributed by Ubuntu. + See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    +

    A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:22.04 patch.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2023-50495

    +
    + +
    + low severity +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v2.10.9/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:22.04 +
      • +
    • + Vulnerable module: + + ncurses/libtinfo6 +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v2.10.9 and ncurses/libtinfo6@6.3-2ubuntu0.1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + bash@5.1-6ubuntu1.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + less@590-1ubuntu0.22.04.3 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + libedit/libedit2@3.1-20210910-1build1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + ncurses/libncurses6@6.3-2ubuntu0.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + ncurses/ncurses-bin@6.3-2ubuntu0.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + procps@2:3.3.17-6ubuntu2.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + util-linux@2.37.2-4ubuntu3.4 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + gnupg2/gpg@2.2.27-3ubuntu2.1 + + gnupg2/gpgconf@2.2.27-3ubuntu2.1 + + readline/libreadline8@8.1.2-1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + + pinentry/pinentry-curses@1.1.1-1build2 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + procps@2:3.3.17-6ubuntu2.1 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + + pinentry/pinentry-curses@1.1.1-1build2 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + ncurses/libncurses6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + procps@2:3.3.17-6ubuntu2.1 + + ncurses/libncurses6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + ncurses/ncurses-base@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + ncurses/ncurses-bin@6.3-2ubuntu0.1 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Ubuntu. + See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    +

    NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().

    +

    Remediation

    +

    There is no fixed version for Ubuntu:22.04 ncurses.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2023-45918

    +
    + +
    + low severity +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v2.10.9/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:22.04 +
      • +
    • + Vulnerable module: + + ncurses/libtinfo6 +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v2.10.9 and ncurses/libtinfo6@6.3-2ubuntu0.1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + bash@5.1-6ubuntu1.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + less@590-1ubuntu0.22.04.3 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + libedit/libedit2@3.1-20210910-1build1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + ncurses/libncurses6@6.3-2ubuntu0.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + ncurses/ncurses-bin@6.3-2ubuntu0.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + procps@2:3.3.17-6ubuntu2.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + util-linux@2.37.2-4ubuntu3.4 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + gnupg2/gpg@2.2.27-3ubuntu2.1 + + gnupg2/gpgconf@2.2.27-3ubuntu2.1 + + readline/libreadline8@8.1.2-1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + + pinentry/pinentry-curses@1.1.1-1build2 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + procps@2:3.3.17-6ubuntu2.1 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + + pinentry/pinentry-curses@1.1.1-1build2 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + -
      +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + ncurses/libncurses6@6.3-2ubuntu0.1 + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + procps@2:3.3.17-6ubuntu2.1 + + ncurses/libncurses6@6.3-2ubuntu0.1 + + -

      Detailed paths

      +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + ncurses/ncurses-base@6.3-2ubuntu0.1 + + -
    -

    Double Free

    +

    Resource Exhaustion

    @@ -2765,12 +2927,12 @@

    Double Free

  • Vulnerable module: - patch + libzstd/libzstd1
  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 and patch@2.7.6-7build2 + docker-image|quay.io/argoproj/argocd@v2.10.9 and libzstd/libzstd1@1.4.8+dfsg-3build1
    • @@ -2785,7 +2947,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.10.9 - patch@2.7.6-7build2 + libzstd/libzstd1@1.4.8+dfsg-3build1 @@ -2797,31 +2959,33 @@

    Detailed paths

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream patch package and not the patch package as distributed by Ubuntu. +

    Note: Versions mentioned in the description apply only to the upstream libzstd package and not the libzstd package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6.

    +

    A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 patch.

    +

    There is no fixed version for Ubuntu:22.04 libzstd.

    References

    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    CVE-2023-50495

    +

    Integer Overflow or Wraparound

    @@ -2840,12 +3004,12 @@

    CVE-2023-50495

  • Vulnerable module: - ncurses/libtinfo6 + krb5/libk5crypto3
  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 and ncurses/libtinfo6@6.3-2ubuntu0.1 + docker-image|quay.io/argoproj/argocd@v2.10.9 and krb5/libk5crypto3@1.19.2-2ubuntu0.3
    • @@ -2860,7 +3024,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.10.9 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -2869,31 +3033,19 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.10.9 - bash@5.1-6ubuntu1.1 + adduser@3.118ubuntu5 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 + shadow/passwd@1:4.8.1-2ubuntu2.2 - ncurses/libncursesw6@6.3-2ubuntu0.1 + pam/libpam-modules@1.4.0-11ubuntu2.4 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 + libnsl/libnsl2@1.3.0-2build2 - less@590-1ubuntu0.22.04.3 + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + + krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -2902,42 +3054,21 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.10.9 - libedit/libedit2@3.1-20210910-1build1 + adduser@3.118ubuntu5 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 + shadow/passwd@1:4.8.1-2ubuntu2.2 - ncurses/libncurses6@6.3-2ubuntu0.1 + pam/libpam-modules@1.4.0-11ubuntu2.4 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 + libnsl/libnsl2@1.3.0-2build2 - ncurses/ncurses-bin@6.3-2ubuntu0.1 + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - procps@2:3.3.17-6ubuntu2.1 + krb5/libkrb5-3@1.19.2-2ubuntu0.3 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -2946,9 +3077,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.10.9 - util-linux@2.37.2-4ubuntu3.4 - - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libkrb5-3@1.19.2-2ubuntu0.3 @@ -2957,28 +3086,19 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.10.9 - gnupg2/gpg@2.2.27-3ubuntu2.1 - - gnupg2/gpgconf@2.2.27-3ubuntu2.1 + adduser@3.118ubuntu5 - readline/libreadline8@8.1.2-1 + shadow/passwd@1:4.8.1-2ubuntu2.2 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 + pam/libpam-modules@1.4.0-11ubuntu2.4 - gnupg2/gnupg@2.2.27-3ubuntu2.1 + libnsl/libnsl2@1.3.0-2build2 - gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - pinentry/pinentry-curses@1.1.1-1build2 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libkrb5-3@1.19.2-2ubuntu0.3 @@ -2987,7 +3107,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.10.9 - ncurses/libncursesw6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -2996,9 +3116,9 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.10.9 - procps@2:3.3.17-6ubuntu2.1 + openssh/openssh-client@1:8.9p1-3ubuntu0.7 - ncurses/libncursesw6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3007,13 +3127,11 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.10.9 - gnupg2/gnupg@2.2.27-3ubuntu2.1 - - gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + git@1:2.34.1-1ubuntu1.10 - pinentry/pinentry-curses@1.1.1-1build2 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - ncurses/libncursesw6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3022,18 +3140,13 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.10.9 - ncurses/libncurses6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 + git@1:2.34.1-1ubuntu1.10 - procps@2:3.3.17-6ubuntu2.1 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - ncurses/libncurses6@6.3-2ubuntu0.1 + libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3042,7 +3155,17 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.10.9 - ncurses/ncurses-base@6.3-2ubuntu0.1 + adduser@3.118ubuntu5 + + shadow/passwd@1:4.8.1-2ubuntu2.2 + + pam/libpam-modules@1.4.0-11ubuntu2.4 + + libnsl/libnsl2@1.3.0-2build2 + + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3051,7 +3174,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.10.9 - ncurses/ncurses-bin@6.3-2ubuntu0.1 + krb5/libkrb5support0@1.19.2-2ubuntu0.3 @@ -3063,29 +3186,30 @@

    Detailed paths

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Ubuntu. +

    Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().

    +

    An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 ncurses.

    -

    References

    -
    • -

    CVE-2023-45918

    +

    CVE-2024-26461

    @@ -3104,12 +3228,12 @@

    CVE-2023-45918

  • Vulnerable module: - ncurses/libtinfo6 + krb5/libk5crypto3
  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 and ncurses/libtinfo6@6.3-2ubuntu0.1 + docker-image|quay.io/argoproj/argocd@v2.10.9 and krb5/libk5crypto3@1.19.2-2ubuntu0.3
    • @@ -3124,7 +3248,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.10.9 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -3133,31 +3257,19 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.10.9 - bash@5.1-6ubuntu1.1 + adduser@3.118ubuntu5 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 + shadow/passwd@1:4.8.1-2ubuntu2.2 - ncurses/libncursesw6@6.3-2ubuntu0.1 + pam/libpam-modules@1.4.0-11ubuntu2.4 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 + libnsl/libnsl2@1.3.0-2build2 - less@590-1ubuntu0.22.04.3 + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + + krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -3166,42 +3278,21 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.10.9 - libedit/libedit2@3.1-20210910-1build1 + adduser@3.118ubuntu5 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 + shadow/passwd@1:4.8.1-2ubuntu2.2 - ncurses/libncurses6@6.3-2ubuntu0.1 + pam/libpam-modules@1.4.0-11ubuntu2.4 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 + libnsl/libnsl2@1.3.0-2build2 - ncurses/ncurses-bin@6.3-2ubuntu0.1 + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - procps@2:3.3.17-6ubuntu2.1 + krb5/libkrb5-3@1.19.2-2ubuntu0.3 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -3210,9 +3301,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.10.9 - util-linux@2.37.2-4ubuntu3.4 - - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libkrb5-3@1.19.2-2ubuntu0.3 @@ -3221,28 +3310,19 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.10.9 - gnupg2/gpg@2.2.27-3ubuntu2.1 - - gnupg2/gpgconf@2.2.27-3ubuntu2.1 + adduser@3.118ubuntu5 - readline/libreadline8@8.1.2-1 + shadow/passwd@1:4.8.1-2ubuntu2.2 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 + pam/libpam-modules@1.4.0-11ubuntu2.4 - gnupg2/gnupg@2.2.27-3ubuntu2.1 + libnsl/libnsl2@1.3.0-2build2 - gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - pinentry/pinentry-curses@1.1.1-1build2 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libkrb5-3@1.19.2-2ubuntu0.3 @@ -3251,7 +3331,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.10.9 - ncurses/libncursesw6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3260,9 +3340,9 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.10.9 - procps@2:3.3.17-6ubuntu2.1 + openssh/openssh-client@1:8.9p1-3ubuntu0.7 - ncurses/libncursesw6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3271,13 +3351,11 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.10.9 - gnupg2/gnupg@2.2.27-3ubuntu2.1 - - gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + git@1:2.34.1-1ubuntu1.10 - pinentry/pinentry-curses@1.1.1-1build2 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - ncurses/libncursesw6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3286,27 +3364,13 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.10.9 - ncurses/libncurses6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 + git@1:2.34.1-1ubuntu1.10 - procps@2:3.3.17-6ubuntu2.1 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - ncurses/libncurses6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 + libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 - ncurses/ncurses-base@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3315,78 +3379,26 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.10.9 - ncurses/ncurses-bin@6.3-2ubuntu0.1 + adduser@3.118ubuntu5 + + shadow/passwd@1:4.8.1-2ubuntu2.2 + + pam/libpam-modules@1.4.0-11ubuntu2.4 + + libnsl/libnsl2@1.3.0-2build2 + + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3
    • - - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Ubuntu. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 ncurses.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Resource Exhaustion

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.10.9/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:22.04 -
      • -
    • - Vulnerable module: - - libzstd/libzstd1 -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v2.10.9 and libzstd/libzstd1@1.4.8+dfsg-3build1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
    -

    Integer Overflow or Wraparound

    +

    CVE-2024-26458

    @@ -3627,23 +3633,20 @@

    Detailed paths

    NVD Description

    Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.

    +

    Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.

    Remediation

    There is no fixed version for Ubuntu:22.04 krb5.

    References

    -

    More about this vulnerability

    +

    More about this vulnerability

    diff --git a/docs/snyk/v2.10.9/redis_7.0.15-alpine.html b/docs/snyk/v2.10.9/redis_7.0.15-alpine.html index 8c9ee9c06a8d4..85521508e81d5 100644 --- a/docs/snyk/v2.10.9/redis_7.0.15-alpine.html +++ b/docs/snyk/v2.10.9/redis_7.0.15-alpine.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:21:06 am (UTC+00:00)

    +

    May 19th 2024, 12:20:50 am (UTC+00:00)

    Scanned the following paths: @@ -467,8 +467,8 @@

    Snyk test report

    -
    1 known vulnerabilities
    -
    9 vulnerable dependency paths
    +
    0 known vulnerabilities
    +
    0 vulnerable dependency paths
    19 dependencies
    @@ -476,182 +476,7 @@

    Snyk test report

    -
    -
    -

    CVE-2024-2511

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Package Manager: alpine:3.19 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|redis@7.0.15-alpine and openssl/libcrypto3@3.1.4-r5 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - openssl/libcrypto3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - .redis-rundeps@20240315.235535 - - openssl/libcrypto3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - apk-tools/apk-tools@2.14.0-r5 - - openssl/libcrypto3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - busybox/ssl_client@1.36.1-r15 - - openssl/libcrypto3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - .redis-rundeps@20240315.235535 - - openssl/libssl3@3.1.4-r5 - - openssl/libcrypto3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - openssl/libssl3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - .redis-rundeps@20240315.235535 - - openssl/libssl3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - apk-tools/apk-tools@2.14.0-r5 - - openssl/libssl3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - busybox/ssl_client@1.36.1-r15 - - openssl/libssl3@3.1.4-r5 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. - See How to fix? for Alpine:3.19 relevant fixed versions and status.

    -

    Issue summary: Some non-default TLS server configurations can cause unbounded - memory growth when processing TLSv1.3 sessions

    -

    Impact summary: An attacker may exploit certain server configurations to trigger - unbounded memory growth that would lead to a Denial of Service

    -

    This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is - being used (but not if early_data support is also configured and the default - anti-replay protection is in use). In this case, under certain conditions, the - session cache can get into an incorrect state and it will fail to flush properly - as it fills. The session cache will continue to grow in an unbounded manner. A - malicious client could deliberately create the scenario for this failure to - force a Denial of Service. It may also happen by accident in normal operation.

    -

    This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS - clients.

    -

    The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL - 1.0.2 is also not affected by this issue.

    -

    Remediation

    -

    Upgrade Alpine:3.19 openssl to version 3.1.4-r6 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    + No known vulnerabilities detected.
    diff --git a/docs/snyk/v2.11.0-rc3/argocd-iac-install.html b/docs/snyk/v2.11.0-rc3/argocd-iac-install.html index 34867c2bb5cb4..819ad88d27a5b 100644 --- a/docs/snyk/v2.11.0-rc3/argocd-iac-install.html +++ b/docs/snyk/v2.11.0-rc3/argocd-iac-install.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:20:15 am (UTC+00:00)

    +

    May 19th 2024, 12:19:52 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v2.11.0-rc3/argocd-iac-namespace-install.html b/docs/snyk/v2.11.0-rc3/argocd-iac-namespace-install.html index 26e7b55363198..5a7fbccbb3432 100644 --- a/docs/snyk/v2.11.0-rc3/argocd-iac-namespace-install.html +++ b/docs/snyk/v2.11.0-rc3/argocd-iac-namespace-install.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:20:23 am (UTC+00:00)

    +

    May 19th 2024, 12:20:01 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v2.11.0-rc3/argocd-test.html b/docs/snyk/v2.11.0-rc3/argocd-test.html index 32bb15b1630eb..75e671e4b1020 100644 --- a/docs/snyk/v2.11.0-rc3/argocd-test.html +++ b/docs/snyk/v2.11.0-rc3/argocd-test.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:18:22 am (UTC+00:00)

    +

    May 19th 2024, 12:18:00 am (UTC+00:00)

    Scanned the following paths: diff --git a/docs/snyk/v2.11.0-rc3/ghcr.io_dexidp_dex_v2.38.0.html b/docs/snyk/v2.11.0-rc3/ghcr.io_dexidp_dex_v2.38.0.html index fb1fd786706f4..4b3d46a8a0f63 100644 --- a/docs/snyk/v2.11.0-rc3/ghcr.io_dexidp_dex_v2.38.0.html +++ b/docs/snyk/v2.11.0-rc3/ghcr.io_dexidp_dex_v2.38.0.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:18:27 am (UTC+00:00)

    +

    May 19th 2024, 12:18:05 am (UTC+00:00)

    Scanned the following paths: diff --git a/docs/snyk/v2.11.0-rc3/haproxy_2.6.14-alpine.html b/docs/snyk/v2.11.0-rc3/haproxy_2.6.14-alpine.html index 063d929aa1207..44979eafbfdf6 100644 --- a/docs/snyk/v2.11.0-rc3/haproxy_2.6.14-alpine.html +++ b/docs/snyk/v2.11.0-rc3/haproxy_2.6.14-alpine.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:18:31 am (UTC+00:00)

    +

    May 19th 2024, 12:18:09 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v2.11.0-rc3/quay.io_argoproj_argocd_v2.11.0-rc3.html b/docs/snyk/v2.11.0-rc3/quay.io_argoproj_argocd_v2.11.0-rc3.html index 9cdfa2b6de39f..0d2775074d097 100644 --- a/docs/snyk/v2.11.0-rc3/quay.io_argoproj_argocd_v2.11.0-rc3.html +++ b/docs/snyk/v2.11.0-rc3/quay.io_argoproj_argocd_v2.11.0-rc3.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:18:51 am (UTC+00:00)

    +

    May 19th 2024, 12:18:29 am (UTC+00:00)

    Scanned the following paths: @@ -850,7 +850,7 @@

    References

    -

    CVE-2024-26461

    +

    CVE-2024-26462

    @@ -1053,24 +1053,25 @@

    Detailed paths

    NVD Description

    Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.

    +

    Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.

    Remediation

    There is no fixed version for Ubuntu:22.04 krb5.

    References

    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    CVE-2024-26462

    +

    LGPL-3.0 license

    @@ -1081,20 +1082,20 @@

    CVE-2024-26462

    • - Manifest file: quay.io/argoproj/argocd:v2.11.0-rc3/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.11.0-rc3/argoproj/argo-cd/v2 /usr/local/bin/argocd
    • - Package Manager: ubuntu:22.04 + Package Manager: golang
    • - Vulnerable module: + Module: - krb5/libk5crypto3 + gopkg.in/retry.v1
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 and krb5/libk5crypto3@1.19.2-2ubuntu0.3 + github.com/argoproj/argo-cd/v2@* and gopkg.in/retry.v1@v1.0.3
    @@ -1107,159 +1108,69 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + github.com/argoproj/argo-cd/v2@* - krb5/libk5crypto3@1.19.2-2ubuntu0.3 + gopkg.in/retry.v1@v1.0.3
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libk5crypto3@1.19.2-2ubuntu0.3 - - +
    - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - krb5/libk5crypto3@1.19.2-2ubuntu0.3 - - +
    • - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - +
    + +

    LGPL-3.0 license

    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - +
    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - +
    +

    More about this vulnerability

    +
    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - - openssh/openssh-client@1:8.9p1-3ubuntu0.7 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - +
    • +
    +

    Infinite loop

    +
    - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - - git@1:2.34.1-1ubuntu1.10 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - +
    + medium severity +
    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - - git@1:2.34.1-1ubuntu1.10 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - - libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - +
    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - +
      +
    • + Manifest file: quay.io/argoproj/argocd:v2.11.0-rc3/argoproj/argo-cd/v2 /usr/local/bin/argocd +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: -
      • + google.golang.org/protobuf/internal/encoding/json + + +
    • Introduced through: + + github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/internal/encoding/json@v1.31.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + github.com/argoproj/argo-cd/v2@* - krb5/libkrb5support0@1.19.2-2ubuntu0.3 + google.golang.org/protobuf/internal/encoding/json@v1.31.0 @@ -1270,27 +1181,28 @@

      Detailed paths

      -

      NVD Description

      -

      Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

      -

      Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.

      +

      Overview

      +

      Affected versions of this package are vulnerable to Infinite loop via the protojson.Unmarshal function. An attacker can cause a denial of service condition by unmarshaling certain forms of invalid JSON.

      +

      Note:

      +

      This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

      Remediation

      -

      There is no fixed version for Ubuntu:22.04 krb5.

      +

      Upgrade google.golang.org/protobuf/internal/encoding/json to version 1.33.0 or higher.

      References

      -

      More about this vulnerability

      +

      More about this vulnerability

    • -

    CVE-2024-26458

    +

    Stack-based Buffer Overflow

    @@ -1301,20 +1213,20 @@

    CVE-2024-26458

    • - Manifest file: quay.io/argoproj/argocd:v2.11.0-rc3/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.11.0-rc3/argoproj/argo-cd/v2 /usr/local/bin/argocd
    • - Package Manager: ubuntu:22.04 + Package Manager: golang
    • Vulnerable module: - krb5/libk5crypto3 + google.golang.org/protobuf/encoding/protojson
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 and krb5/libk5crypto3@1.19.2-2ubuntu0.3 + github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/encoding/protojson@v1.31.0
    @@ -1327,190 +1239,38 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + github.com/argoproj/argo-cd/v2@* - krb5/libk5crypto3@1.19.2-2ubuntu0.3 + google.golang.org/protobuf/encoding/protojson@v1.31.0
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libk5crypto3@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - krb5/libk5crypto3@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - - openssh/openssh-client@1:8.9p1-3ubuntu0.7 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - - git@1:2.34.1-1ubuntu1.10 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - - git@1:2.34.1-1ubuntu1.10 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - - libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - - krb5/libkrb5support0@1.19.2-2ubuntu0.3 - - - -
      • -
    +
    -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.

    +

    Overview

    +

    Affected versions of this package are vulnerable to Stack-based Buffer Overflow when processing input that uses pathologically deep nesting.

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 krb5.

    +

    Upgrade google.golang.org/protobuf/encoding/protojson to version 1.32.0 or higher.

    References

    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    LGPL-3.0 license

    +

    Infinite loop

    @@ -1527,14 +1287,14 @@

    LGPL-3.0 license

    Package Manager: golang
  • - Module: + Vulnerable module: - gopkg.in/retry.v1 + google.golang.org/protobuf/encoding/protojson
  • Introduced through: - github.com/argoproj/argo-cd/v2@* and gopkg.in/retry.v1@v1.0.3 + github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/encoding/protojson@v1.31.0
    • @@ -1549,7 +1309,7 @@

    Detailed paths

    Introduced through: github.com/argoproj/argo-cd/v2@* - gopkg.in/retry.v1@v1.0.3 + google.golang.org/protobuf/encoding/protojson@v1.31.0 @@ -1560,17 +1320,28 @@

    Detailed paths

    -

    LGPL-3.0 license

    +

    Overview

    +

    Affected versions of this package are vulnerable to Infinite loop via the protojson.Unmarshal function. An attacker can cause a denial of service condition by unmarshaling certain forms of invalid JSON.

    +

    Note:

    +

    This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

    +

    Remediation

    +

    Upgrade google.golang.org/protobuf/encoding/protojson to version 1.33.0 or higher.

    +

    References

    +
    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    Infinite loop

    +

    MPL-2.0 license

    @@ -1587,14 +1358,14 @@

    Infinite loop

    Package Manager: golang
  • - Vulnerable module: + Module: - google.golang.org/protobuf/internal/encoding/json + github.com/r3labs/diff
  • Introduced through: - github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/internal/encoding/json@v1.31.0 + github.com/argoproj/argo-cd/v2@* and github.com/r3labs/diff@v1.1.0
    • @@ -1609,7 +1380,7 @@

    Detailed paths

    Introduced through: github.com/argoproj/argo-cd/v2@* - google.golang.org/protobuf/internal/encoding/json@v1.31.0 + github.com/r3labs/diff@v1.1.0 @@ -1620,28 +1391,17 @@

    Detailed paths

    -

    Overview

    -

    Affected versions of this package are vulnerable to Infinite loop via the protojson.Unmarshal function. An attacker can cause a denial of service condition by unmarshaling certain forms of invalid JSON.

    -

    Note:

    -

    This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

    -

    Remediation

    -

    Upgrade google.golang.org/protobuf/internal/encoding/json to version 1.33.0 or higher.

    -

    References

    - +

    MPL-2.0 license

    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    Stack-based Buffer Overflow

    +

    MPL-2.0 license

    @@ -1658,14 +1418,14 @@

    Stack-based Buffer Overflow

    Package Manager: golang
  • - Vulnerable module: + Module: - google.golang.org/protobuf/encoding/protojson + github.com/hashicorp/go-version
  • Introduced through: - github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/encoding/protojson@v1.31.0 + github.com/argoproj/argo-cd/v2@* and github.com/hashicorp/go-version@v1.2.1
    • @@ -1680,7 +1440,7 @@

    Detailed paths

    Introduced through: github.com/argoproj/argo-cd/v2@* - google.golang.org/protobuf/encoding/protojson@v1.31.0 + github.com/hashicorp/go-version@v1.2.1 @@ -1691,25 +1451,17 @@

    Detailed paths

    -

    Overview

    -

    Affected versions of this package are vulnerable to Stack-based Buffer Overflow when processing input that uses pathologically deep nesting.

    -

    Remediation

    -

    Upgrade google.golang.org/protobuf/encoding/protojson to version 1.32.0 or higher.

    -

    References

    - +

    MPL-2.0 license

    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    Infinite loop

    +

    MPL-2.0 license

    @@ -1726,14 +1478,14 @@

    Infinite loop

    Package Manager: golang
  • - Vulnerable module: + Module: - google.golang.org/protobuf/encoding/protojson + github.com/hashicorp/go-retryablehttp
  • Introduced through: - github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/encoding/protojson@v1.31.0 + github.com/argoproj/argo-cd/v2@* and github.com/hashicorp/go-retryablehttp@v0.7.4
    • @@ -1748,7 +1500,7 @@

    Detailed paths

    Introduced through: github.com/argoproj/argo-cd/v2@* - google.golang.org/protobuf/encoding/protojson@v1.31.0 + github.com/hashicorp/go-retryablehttp@v0.7.4 @@ -1759,23 +1511,12 @@

    Detailed paths

    -

    Overview

    -

    Affected versions of this package are vulnerable to Infinite loop via the protojson.Unmarshal function. An attacker can cause a denial of service condition by unmarshaling certain forms of invalid JSON.

    -

    Note:

    -

    This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

    -

    Remediation

    -

    Upgrade google.golang.org/protobuf/encoding/protojson to version 1.33.0 or higher.

    -

    References

    - +

    MPL-2.0 license

    -

    More about this vulnerability

    +

    More about this vulnerability

    @@ -1791,7 +1532,7 @@

    MPL-2.0 license

    • - Manifest file: quay.io/argoproj/argocd:v2.11.0-rc3/argoproj/argo-cd/v2 /usr/local/bin/argocd + Manifest file: quay.io/argoproj/argocd:v2.11.0-rc3/helm/v3 /usr/local/bin/helm
    • Package Manager: golang @@ -1799,12 +1540,12 @@

      MPL-2.0 license

    • Module: - github.com/r3labs/diff + github.com/hashicorp/go-multierror
    • Introduced through: - github.com/argoproj/argo-cd/v2@* and github.com/r3labs/diff@v1.1.0 + helm.sh/helm/v3@* and github.com/hashicorp/go-multierror@v1.1.1
    @@ -1817,9 +1558,9 @@

    Detailed paths

    @@ -1859,187 +1600,7 @@

    MPL-2.0 license

  • Module: - github.com/hashicorp/go-version -
    • - -
  • Introduced through: - - github.com/argoproj/argo-cd/v2@* and github.com/hashicorp/go-version@v1.2.1 - -
    • - - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/argoproj/argo-cd/v2@* - - github.com/hashicorp/go-version@v1.2.1 - - - -
      • -
    - -
    - -
    - -

    MPL-2.0 license

    - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    MPL-2.0 license

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.11.0-rc3/argoproj/argo-cd/v2 /usr/local/bin/argocd -
      • -
    • - Package Manager: golang -
      • -
    • - Module: - - github.com/hashicorp/go-retryablehttp -
      • - -
    • Introduced through: - - github.com/argoproj/argo-cd/v2@* and github.com/hashicorp/go-retryablehttp@v0.7.4 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/argoproj/argo-cd/v2@* - - github.com/hashicorp/go-retryablehttp@v0.7.4 - - - -
      • -
    - -
    - -
    - -

    MPL-2.0 license

    - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    MPL-2.0 license

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.11.0-rc3/helm/v3 /usr/local/bin/helm -
      • -
    • - Package Manager: golang -
      • -
    • - Module: - - github.com/hashicorp/go-multierror -
      • - -
    • Introduced through: - - helm.sh/helm/v3@* and github.com/hashicorp/go-multierror@v1.1.1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - helm.sh/helm/v3@* - - github.com/hashicorp/go-multierror@v1.1.1 - - - -
      • -
    - -
    - -
    - -

    MPL-2.0 license

    - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    MPL-2.0 license

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.11.0-rc3/argoproj/argo-cd/v2 /usr/local/bin/argocd -
      • -
    • - Package Manager: golang -
      • -
    • - Module: - - github.com/hashicorp/go-cleanhttp + github.com/hashicorp/go-cleanhttp
    • Introduced through: @@ -2913,12 +2474,575 @@

      References

      -

      More about this vulnerability

      +

      More about this vulnerability

      +
      + +
    +
    +

    CVE-2023-45918

    +
    + +
    + low severity +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v2.11.0-rc3/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:22.04 +
      • +
    • + Vulnerable module: + + ncurses/libtinfo6 +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 and ncurses/libtinfo6@6.3-2ubuntu0.1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + bash@5.1-6ubuntu1.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + less@590-1ubuntu0.22.04.3 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + libedit/libedit2@3.1-20210910-1build1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + ncurses/libncurses6@6.3-2ubuntu0.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + ncurses/ncurses-bin@6.3-2ubuntu0.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + procps@2:3.3.17-6ubuntu2.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + util-linux@2.37.2-4ubuntu3.4 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + gnupg2/gpg@2.2.27-3ubuntu2.1 + + gnupg2/gpgconf@2.2.27-3ubuntu2.1 + + readline/libreadline8@8.1.2-1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + + pinentry/pinentry-curses@1.1.1-1build2 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + procps@2:3.3.17-6ubuntu2.1 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + + pinentry/pinentry-curses@1.1.1-1build2 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + ncurses/libncurses6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + procps@2:3.3.17-6ubuntu2.1 + + ncurses/libncurses6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + ncurses/ncurses-base@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + ncurses/ncurses-bin@6.3-2ubuntu0.1 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Ubuntu. + See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    +

    ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:22.04 ncurses.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Resource Exhaustion

    +
    + +
    + low severity +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v2.11.0-rc3/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:22.04 +
      • +
    • + Vulnerable module: + + libzstd/libzstd1 +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 and libzstd/libzstd1@1.4.8+dfsg-3build1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + libzstd/libzstd1@1.4.8+dfsg-3build1 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream libzstd package and not the libzstd package as distributed by Ubuntu. + See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    +

    A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:22.04 libzstd.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Integer Overflow or Wraparound

    +
    + +
    + low severity +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v2.11.0-rc3/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:22.04 +
      • +
    • + Vulnerable module: + + krb5/libk5crypto3 +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 and krb5/libk5crypto3@1.19.2-2ubuntu0.3 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + krb5/libk5crypto3@1.19.2-2ubuntu0.3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + adduser@3.118ubuntu5 + + shadow/passwd@1:4.8.1-2ubuntu2.2 + + pam/libpam-modules@1.4.0-11ubuntu2.4 + + libnsl/libnsl2@1.3.0-2build2 + + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + + krb5/libk5crypto3@1.19.2-2ubuntu0.3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + adduser@3.118ubuntu5 + + shadow/passwd@1:4.8.1-2ubuntu2.2 + + pam/libpam-modules@1.4.0-11ubuntu2.4 + + libnsl/libnsl2@1.3.0-2build2 + + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + + krb5/libkrb5-3@1.19.2-2ubuntu0.3 + + krb5/libk5crypto3@1.19.2-2ubuntu0.3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + krb5/libkrb5-3@1.19.2-2ubuntu0.3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + adduser@3.118ubuntu5 + + shadow/passwd@1:4.8.1-2ubuntu2.2 + + pam/libpam-modules@1.4.0-11ubuntu2.4 + + libnsl/libnsl2@1.3.0-2build2 + + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + + krb5/libkrb5-3@1.19.2-2ubuntu0.3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + openssh/openssh-client@1:8.9p1-3ubuntu0.7 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + git@1:2.34.1-1ubuntu1.10 + + curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + git@1:2.34.1-1ubuntu1.10 + + curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 + + libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + adduser@3.118ubuntu5 + + shadow/passwd@1:4.8.1-2ubuntu2.2 + + pam/libpam-modules@1.4.0-11ubuntu2.4 + + libnsl/libnsl2@1.3.0-2build2 + + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + krb5/libkrb5support0@1.19.2-2ubuntu0.3 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. + See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    +

    An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:22.04 krb5.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    -

    CVE-2023-45918

    +

    CVE-2024-26461

    @@ -2937,12 +3061,12 @@

    CVE-2023-45918

  • Vulnerable module: - ncurses/libtinfo6 + krb5/libk5crypto3
  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 and ncurses/libtinfo6@6.3-2ubuntu0.1 + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 and krb5/libk5crypto3@1.19.2-2ubuntu0.3
    • @@ -2957,7 +3081,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -2966,31 +3090,19 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - bash@5.1-6ubuntu1.1 + adduser@3.118ubuntu5 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + shadow/passwd@1:4.8.1-2ubuntu2.2 - ncurses/libncursesw6@6.3-2ubuntu0.1 + pam/libpam-modules@1.4.0-11ubuntu2.4 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + libnsl/libnsl2@1.3.0-2build2 - less@590-1ubuntu0.22.04.3 + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + + krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -2999,42 +3111,21 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - libedit/libedit2@3.1-20210910-1build1 + adduser@3.118ubuntu5 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + shadow/passwd@1:4.8.1-2ubuntu2.2 - ncurses/libncurses6@6.3-2ubuntu0.1 + pam/libpam-modules@1.4.0-11ubuntu2.4 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + libnsl/libnsl2@1.3.0-2build2 - ncurses/ncurses-bin@6.3-2ubuntu0.1 + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - procps@2:3.3.17-6ubuntu2.1 + krb5/libkrb5-3@1.19.2-2ubuntu0.3 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -3043,9 +3134,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - util-linux@2.37.2-4ubuntu3.4 - - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libkrb5-3@1.19.2-2ubuntu0.3 @@ -3054,28 +3143,19 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - gnupg2/gpg@2.2.27-3ubuntu2.1 - - gnupg2/gpgconf@2.2.27-3ubuntu2.1 + adduser@3.118ubuntu5 - readline/libreadline8@8.1.2-1 + shadow/passwd@1:4.8.1-2ubuntu2.2 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + pam/libpam-modules@1.4.0-11ubuntu2.4 - gnupg2/gnupg@2.2.27-3ubuntu2.1 + libnsl/libnsl2@1.3.0-2build2 - gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - pinentry/pinentry-curses@1.1.1-1build2 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libkrb5-3@1.19.2-2ubuntu0.3 @@ -3084,7 +3164,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - ncurses/libncursesw6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3093,9 +3173,9 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - procps@2:3.3.17-6ubuntu2.1 + openssh/openssh-client@1:8.9p1-3ubuntu0.7 - ncurses/libncursesw6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3104,13 +3184,11 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - gnupg2/gnupg@2.2.27-3ubuntu2.1 - - gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + git@1:2.34.1-1ubuntu1.10 - pinentry/pinentry-curses@1.1.1-1build2 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - ncurses/libncursesw6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3119,27 +3197,13 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - ncurses/libncurses6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + git@1:2.34.1-1ubuntu1.10 - procps@2:3.3.17-6ubuntu2.1 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - ncurses/libncurses6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 - ncurses/ncurses-base@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3148,78 +3212,26 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - ncurses/ncurses-bin@6.3-2ubuntu0.1 + adduser@3.118ubuntu5 + + shadow/passwd@1:4.8.1-2ubuntu2.2 + + pam/libpam-modules@1.4.0-11ubuntu2.4 + + libnsl/libnsl2@1.3.0-2build2 + + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3
    • - - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Ubuntu. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 ncurses.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Resource Exhaustion

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.11.0-rc3/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:22.04 -
      • -
    • - Vulnerable module: - - libzstd/libzstd1 -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 and libzstd/libzstd1@1.4.8+dfsg-3build1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
    -

    Integer Overflow or Wraparound

    +

    CVE-2024-26458

    @@ -3460,23 +3466,20 @@

    Detailed paths

    NVD Description

    Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.

    +

    Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.

    Remediation

    There is no fixed version for Ubuntu:22.04 krb5.

    References

    -

    More about this vulnerability

    +

    More about this vulnerability

    diff --git a/docs/snyk/v2.11.0-rc3/redis_7.0.14-alpine.html b/docs/snyk/v2.11.0-rc3/redis_7.0.14-alpine.html index e346bca7655a3..3098ab07a6faa 100644 --- a/docs/snyk/v2.11.0-rc3/redis_7.0.14-alpine.html +++ b/docs/snyk/v2.11.0-rc3/redis_7.0.14-alpine.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:18:56 am (UTC+00:00)

    +

    May 19th 2024, 12:18:35 am (UTC+00:00)

    Scanned the following paths: diff --git a/docs/snyk/v2.8.18/argocd-iac-install.html b/docs/snyk/v2.8.18/argocd-iac-install.html index d96fcc452bb05..f99e637b1be4d 100644 --- a/docs/snyk/v2.8.18/argocd-iac-install.html +++ b/docs/snyk/v2.8.18/argocd-iac-install.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:26:37 am (UTC+00:00)

    +

    May 19th 2024, 12:26:31 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v2.8.18/argocd-iac-namespace-install.html b/docs/snyk/v2.8.18/argocd-iac-namespace-install.html index 92d8dd0d6a7c0..dcc47f8181ca6 100644 --- a/docs/snyk/v2.8.18/argocd-iac-namespace-install.html +++ b/docs/snyk/v2.8.18/argocd-iac-namespace-install.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:26:45 am (UTC+00:00)

    +

    May 19th 2024, 12:26:41 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v2.8.18/argocd-test.html b/docs/snyk/v2.8.18/argocd-test.html index 2c70cafaf9082..b0f63c4dc03dd 100644 --- a/docs/snyk/v2.8.18/argocd-test.html +++ b/docs/snyk/v2.8.18/argocd-test.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:24:58 am (UTC+00:00)

    +

    May 19th 2024, 12:24:53 am (UTC+00:00)

    Scanned the following paths: diff --git a/docs/snyk/v2.8.18/ghcr.io_dexidp_dex_v2.37.0.html b/docs/snyk/v2.8.18/ghcr.io_dexidp_dex_v2.37.0.html index d4b292a49d0d4..f407e4b750f67 100644 --- a/docs/snyk/v2.8.18/ghcr.io_dexidp_dex_v2.37.0.html +++ b/docs/snyk/v2.8.18/ghcr.io_dexidp_dex_v2.37.0.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:25:05 am (UTC+00:00)

    +

    May 19th 2024, 12:24:58 am (UTC+00:00)

    Scanned the following paths: diff --git a/docs/snyk/v2.8.18/haproxy_2.6.14-alpine.html b/docs/snyk/v2.8.18/haproxy_2.6.14-alpine.html index 0cd4750216288..9b045aea3af26 100644 --- a/docs/snyk/v2.8.18/haproxy_2.6.14-alpine.html +++ b/docs/snyk/v2.8.18/haproxy_2.6.14-alpine.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:25:09 am (UTC+00:00)

    +

    May 19th 2024, 12:25:02 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v2.8.18/quay.io_argoproj_argocd_v2.8.18.html b/docs/snyk/v2.8.18/quay.io_argoproj_argocd_v2.8.18.html index c52c87c03f4c5..795a9d43dce53 100644 --- a/docs/snyk/v2.8.18/quay.io_argoproj_argocd_v2.8.18.html +++ b/docs/snyk/v2.8.18/quay.io_argoproj_argocd_v2.8.18.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:25:26 am (UTC+00:00)

    +

    May 19th 2024, 12:25:21 am (UTC+00:00)

    Scanned the following paths: @@ -1103,7 +1103,7 @@

    References

    -

    CVE-2024-26461

    +

    CVE-2024-26462

    @@ -1306,24 +1306,25 @@

    Detailed paths

    NVD Description

    Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.

    +

    Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.

    Remediation

    There is no fixed version for Ubuntu:22.04 krb5.

    References

    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    CVE-2024-26462

    +

    LGPL-3.0 license

    @@ -1334,20 +1335,20 @@

    CVE-2024-26462

    • - Manifest file: quay.io/argoproj/argocd:v2.8.18/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.8.18/argoproj/argo-cd/v2 /usr/local/bin/argocd
    • - Package Manager: ubuntu:22.04 + Package Manager: golang
    • - Vulnerable module: + Module: - krb5/libk5crypto3 + gopkg.in/retry.v1
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 and krb5/libk5crypto3@1.19.2-2ubuntu0.3 + github.com/argoproj/argo-cd/v2@* and gopkg.in/retry.v1@v1.0.3
    @@ -1360,159 +1361,69 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 + github.com/argoproj/argo-cd/v2@* - krb5/libk5crypto3@1.19.2-2ubuntu0.3 + gopkg.in/retry.v1@v1.0.3
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libk5crypto3@1.19.2-2ubuntu0.3 - - +
    - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - krb5/libk5crypto3@1.19.2-2ubuntu0.3 - - +
    • - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - +
    + +

    LGPL-3.0 license

    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - +
    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - +
    +

    More about this vulnerability

    +
    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 - - openssh/openssh-client@1:8.9p1-3ubuntu0.7 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - +
    • +
    +

    Infinite loop

    +
    - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 - - git@1:2.34.1-1ubuntu1.10 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - +
    + medium severity +
    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 - - git@1:2.34.1-1ubuntu1.10 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - - libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - +
    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - +
      +
    • + Manifest file: quay.io/argoproj/argocd:v2.8.18/argoproj/argo-cd/v2 /usr/local/bin/argocd +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: -
      • + google.golang.org/protobuf/internal/encoding/json + + +
    • Introduced through: + + github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/internal/encoding/json@v1.31.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 + github.com/argoproj/argo-cd/v2@* - krb5/libkrb5support0@1.19.2-2ubuntu0.3 + google.golang.org/protobuf/internal/encoding/json@v1.31.0 @@ -1523,27 +1434,28 @@

      Detailed paths

      -

      NVD Description

      -

      Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

      -

      Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.

      +

      Overview

      +

      Affected versions of this package are vulnerable to Infinite loop via the protojson.Unmarshal function. An attacker can cause a denial of service condition by unmarshaling certain forms of invalid JSON.

      +

      Note:

      +

      This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

      Remediation

      -

      There is no fixed version for Ubuntu:22.04 krb5.

      +

      Upgrade google.golang.org/protobuf/internal/encoding/json to version 1.33.0 or higher.

      References

      -

      More about this vulnerability

      +

      More about this vulnerability

    • -

    CVE-2024-26458

    +

    Stack-based Buffer Overflow

    @@ -1554,20 +1466,20 @@

    CVE-2024-26458

    • - Manifest file: quay.io/argoproj/argocd:v2.8.18/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.8.18/argoproj/argo-cd/v2 /usr/local/bin/argocd
    • - Package Manager: ubuntu:22.04 + Package Manager: golang
    • Vulnerable module: - krb5/libk5crypto3 + google.golang.org/protobuf/encoding/protojson
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 and krb5/libk5crypto3@1.19.2-2ubuntu0.3 + github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/encoding/protojson@v1.31.0
    @@ -1580,190 +1492,38 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 + github.com/argoproj/argo-cd/v2@* - krb5/libk5crypto3@1.19.2-2ubuntu0.3 + google.golang.org/protobuf/encoding/protojson@v1.31.0
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libk5crypto3@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - krb5/libk5crypto3@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 - - openssh/openssh-client@1:8.9p1-3ubuntu0.7 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 - - git@1:2.34.1-1ubuntu1.10 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 - - git@1:2.34.1-1ubuntu1.10 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - - libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 - - krb5/libkrb5support0@1.19.2-2ubuntu0.3 - - - -
      • -
    +
    -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.

    +

    Overview

    +

    Affected versions of this package are vulnerable to Stack-based Buffer Overflow when processing input that uses pathologically deep nesting.

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 krb5.

    +

    Upgrade google.golang.org/protobuf/encoding/protojson to version 1.32.0 or higher.

    References

    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    LGPL-3.0 license

    +

    Infinite loop

    @@ -1780,14 +1540,14 @@

    LGPL-3.0 license

    Package Manager: golang
  • - Module: + Vulnerable module: - gopkg.in/retry.v1 + google.golang.org/protobuf/encoding/protojson
  • Introduced through: - github.com/argoproj/argo-cd/v2@* and gopkg.in/retry.v1@v1.0.3 + github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/encoding/protojson@v1.31.0
    • @@ -1802,7 +1562,7 @@

    Detailed paths

    Introduced through: github.com/argoproj/argo-cd/v2@* - gopkg.in/retry.v1@v1.0.3 + google.golang.org/protobuf/encoding/protojson@v1.31.0 @@ -1813,17 +1573,28 @@

    Detailed paths

    -

    LGPL-3.0 license

    +

    Overview

    +

    Affected versions of this package are vulnerable to Infinite loop via the protojson.Unmarshal function. An attacker can cause a denial of service condition by unmarshaling certain forms of invalid JSON.

    +

    Note:

    +

    This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

    +

    Remediation

    +

    Upgrade google.golang.org/protobuf/encoding/protojson to version 1.33.0 or higher.

    +

    References

    +
    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    Infinite loop

    +

    Allocation of Resources Without Limits or Throttling

    @@ -1834,7 +1605,7 @@

    Infinite loop

    • - Manifest file: quay.io/argoproj/argocd:v2.8.18/argoproj/argo-cd/v2 /usr/local/bin/argocd + Manifest file: quay.io/argoproj/argocd:v2.8.18/helm/v3 /usr/local/bin/helm
    • Package Manager: golang @@ -1842,12 +1613,12 @@

      Infinite loop

    • Vulnerable module: - google.golang.org/protobuf/internal/encoding/json + golang.org/x/net/http2
    • Introduced through: - github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/internal/encoding/json@v1.31.0 + helm.sh/helm/v3@* and golang.org/x/net/http2@v0.8.0
    @@ -1860,9 +1631,9 @@

    Detailed paths

    • Introduced through: - github.com/argoproj/argo-cd/v2@* + helm.sh/helm/v3@* - google.golang.org/protobuf/internal/encoding/json@v1.31.0 + golang.org/x/net/http2@v0.8.0 @@ -1874,27 +1645,28 @@

      Detailed paths

      Overview

      -

      Affected versions of this package are vulnerable to Infinite loop via the protojson.Unmarshal function. An attacker can cause a denial of service condition by unmarshaling certain forms of invalid JSON.

      +

      golang.org/x/net/http2 is a work-in-progress HTTP/2 implementation for Go.

      +

      Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when MaxConcurrentStreams handler goroutines running. A a handler is started until one of the existing handlers exits.

      Note:

      -

      This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

      +

      This issue is related to CVE-2023-44487

      Remediation

      -

      Upgrade google.golang.org/protobuf/internal/encoding/json to version 1.33.0 or higher.

      +

      Upgrade golang.org/x/net/http2 to version 0.17.0 or higher.

      References

      -

      More about this vulnerability

      +

      More about this vulnerability

    -

    Stack-based Buffer Overflow

    +

    Authentication Bypass by Capture-replay

    @@ -1913,12 +1685,12 @@

    Stack-based Buffer Overflow

  • Vulnerable module: - google.golang.org/protobuf/encoding/protojson + golang.org/x/crypto/ssh
  • Introduced through: - github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/encoding/protojson@v1.31.0 + github.com/argoproj/argo-cd/v2@* and golang.org/x/crypto/ssh@v0.16.0
    • @@ -1933,7 +1705,7 @@

    Detailed paths

    Introduced through: github.com/argoproj/argo-cd/v2@* - google.golang.org/protobuf/encoding/protojson@v1.31.0 + golang.org/x/crypto/ssh@v0.16.0 @@ -1945,24 +1717,54 @@

    Detailed paths

    Overview

    -

    Affected versions of this package are vulnerable to Stack-based Buffer Overflow when processing input that uses pathologically deep nesting.

    +

    golang.org/x/crypto/ssh is a SSH client and server

    +

    Affected versions of this package are vulnerable to Authentication Bypass by Capture-replay during the establishment of the secure channel. An attacker can manipulate handshake sequence numbers to delete messages sent immediately after the channel is established.

    +

    Note:

    +
      +

    1. Sequence numbers are only validated once the channel is established and arbitrary messages are allowed during the handshake, allowing them to manipulate the sequence numbers.

      +
      2. +

    2. The potential consequences of the general Terrapin attack are dependent on the messages exchanged after the handshake concludes. If you are using a custom SSH service and do not resort to the authentication protocol, you should check that dropping the first few messages of a connection does not yield security risks.

      +
      3. +
    +

    Impact:

    +

    While cryptographically novel, there is no discernable impact on the integrity of SSH traffic beyond giving the attacker the ability to delete the message that enables some features related to keystroke timing obfuscation. To successfully carry out the exploitation, the connection needs to be protected using either the ChaCha20-Poly1305 or CBC with Encrypt-then-MAC encryption methods. The attacker must also be able to intercept and modify the connection's traffic.

    +

    Workaround

    +

    Temporarily disable the affected chacha20-poly1305@openssh.com encryption and *-etm@openssh.com MAC algorithms in the affected configuration, and use unaffected algorithms like AES-GCM instead.

    Remediation

    -

    Upgrade google.golang.org/protobuf/encoding/protojson to version 1.32.0 or higher.

    +

    Upgrade golang.org/x/crypto/ssh to version 0.17.0 or higher.

    References

    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    Infinite loop

    +

    MPL-2.0 license

    @@ -1979,14 +1781,14 @@

    Infinite loop

    Package Manager: golang
  • - Vulnerable module: + Module: - google.golang.org/protobuf/encoding/protojson + github.com/r3labs/diff
  • Introduced through: - github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/encoding/protojson@v1.31.0 + github.com/argoproj/argo-cd/v2@* and github.com/r3labs/diff@v1.1.0
    • @@ -2001,248 +1803,7 @@

    Detailed paths

    Introduced through: github.com/argoproj/argo-cd/v2@* - google.golang.org/protobuf/encoding/protojson@v1.31.0 - - - - - - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Infinite loop via the protojson.Unmarshal function. An attacker can cause a denial of service condition by unmarshaling certain forms of invalid JSON.

    -

    Note:

    -

    This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

    -

    Remediation

    -

    Upgrade google.golang.org/protobuf/encoding/protojson to version 1.33.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Allocation of Resources Without Limits or Throttling

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.8.18/helm/v3 /usr/local/bin/helm -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/net/http2 -
      • - -
    • Introduced through: - - helm.sh/helm/v3@* and golang.org/x/net/http2@v0.8.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - helm.sh/helm/v3@* - - golang.org/x/net/http2@v0.8.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    golang.org/x/net/http2 is a work-in-progress HTTP/2 implementation for Go.

    -

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when MaxConcurrentStreams handler goroutines running. A a handler is started until one of the existing handlers exits.

    -

    Note:

    -

    This issue is related to CVE-2023-44487

    -

    Remediation

    -

    Upgrade golang.org/x/net/http2 to version 0.17.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Authentication Bypass by Capture-replay

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.8.18/argoproj/argo-cd/v2 /usr/local/bin/argocd -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/crypto/ssh -
      • - -
    • Introduced through: - - github.com/argoproj/argo-cd/v2@* and golang.org/x/crypto/ssh@v0.16.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/argoproj/argo-cd/v2@* - - golang.org/x/crypto/ssh@v0.16.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    golang.org/x/crypto/ssh is a SSH client and server

    -

    Affected versions of this package are vulnerable to Authentication Bypass by Capture-replay during the establishment of the secure channel. An attacker can manipulate handshake sequence numbers to delete messages sent immediately after the channel is established.

    -

    Note:

    -
      -

    1. Sequence numbers are only validated once the channel is established and arbitrary messages are allowed during the handshake, allowing them to manipulate the sequence numbers.

      -
      2. -

    2. The potential consequences of the general Terrapin attack are dependent on the messages exchanged after the handshake concludes. If you are using a custom SSH service and do not resort to the authentication protocol, you should check that dropping the first few messages of a connection does not yield security risks.

      -
      3. -
    -

    Impact:

    -

    While cryptographically novel, there is no discernable impact on the integrity of SSH traffic beyond giving the attacker the ability to delete the message that enables some features related to keystroke timing obfuscation. To successfully carry out the exploitation, the connection needs to be protected using either the ChaCha20-Poly1305 or CBC with Encrypt-then-MAC encryption methods. The attacker must also be able to intercept and modify the connection's traffic.

    -

    Workaround

    -

    Temporarily disable the affected chacha20-poly1305@openssh.com encryption and *-etm@openssh.com MAC algorithms in the affected configuration, and use unaffected algorithms like AES-GCM instead.

    -

    Remediation

    -

    Upgrade golang.org/x/crypto/ssh to version 0.17.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    MPL-2.0 license

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.8.18/argoproj/argo-cd/v2 /usr/local/bin/argocd -
      • -
    • - Package Manager: golang -
      • -
    • - Module: - - github.com/r3labs/diff -
      • - -
    • Introduced through: - - github.com/argoproj/argo-cd/v2@* and github.com/r3labs/diff@v1.1.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/argoproj/argo-cd/v2@* - - github.com/r3labs/diff@v1.1.0 + github.com/r3labs/diff@v1.1.0 @@ -3027,20 +2588,620 @@

      Release of Invalid Pointer or Reference

      docker-image|quay.io/argoproj/argocd@v2.8.18 and patch@2.7.6-7build2 -
      • -
    + + + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + patch@2.7.6-7build2 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream patch package and not the patch package as distributed by Ubuntu. + See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    +

    An Invalid Pointer vulnerability exists in GNU patch 2.7 via the another_hunk function, which causes a Denial of Service.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:22.04 patch.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Double Free

    +
    + +
    + low severity +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v2.8.18/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:22.04 +
      • +
    • + Vulnerable module: + + patch +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v2.8.18 and patch@2.7.6-7build2 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + patch@2.7.6-7build2 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream patch package and not the patch package as distributed by Ubuntu. + See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    +

    A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:22.04 patch.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2023-50495

    +
    + +
    + low severity +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v2.8.18/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:22.04 +
      • +
    • + Vulnerable module: + + ncurses/libtinfo6 +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v2.8.18 and ncurses/libtinfo6@6.3-2ubuntu0.1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + bash@5.1-6ubuntu1.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + less@590-1ubuntu0.22.04.3 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + libedit/libedit2@3.1-20210910-1build1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + ncurses/libncurses6@6.3-2ubuntu0.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + ncurses/ncurses-bin@6.3-2ubuntu0.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + procps@2:3.3.17-6ubuntu2.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + util-linux@2.37.2-4ubuntu3.4 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + gnupg2/gpg@2.2.27-3ubuntu2.1 + + gnupg2/gpgconf@2.2.27-3ubuntu2.1 + + readline/libreadline8@8.1.2-1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + + pinentry/pinentry-curses@1.1.1-1build2 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + procps@2:3.3.17-6ubuntu2.1 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + + pinentry/pinentry-curses@1.1.1-1build2 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + ncurses/libncurses6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + procps@2:3.3.17-6ubuntu2.1 + + ncurses/libncurses6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + ncurses/ncurses-base@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + ncurses/ncurses-bin@6.3-2ubuntu0.1 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Ubuntu. + See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    +

    NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().

    +

    Remediation

    +

    There is no fixed version for Ubuntu:22.04 ncurses.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2023-45918

    +
    + +
    + low severity +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v2.8.18/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:22.04 +
      • +
    • + Vulnerable module: + + ncurses/libtinfo6 +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v2.8.18 and ncurses/libtinfo6@6.3-2ubuntu0.1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + bash@5.1-6ubuntu1.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + less@590-1ubuntu0.22.04.3 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + libedit/libedit2@3.1-20210910-1build1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + ncurses/libncurses6@6.3-2ubuntu0.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + ncurses/ncurses-bin@6.3-2ubuntu0.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + procps@2:3.3.17-6ubuntu2.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + util-linux@2.37.2-4ubuntu3.4 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + gnupg2/gpg@2.2.27-3ubuntu2.1 + + gnupg2/gpgconf@2.2.27-3ubuntu2.1 + + readline/libreadline8@8.1.2-1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + + pinentry/pinentry-curses@1.1.1-1build2 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + procps@2:3.3.17-6ubuntu2.1 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + + pinentry/pinentry-curses@1.1.1-1build2 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + -
      +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + ncurses/libncurses6@6.3-2ubuntu0.1 + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + procps@2:3.3.17-6ubuntu2.1 + + ncurses/libncurses6@6.3-2ubuntu0.1 + + -

      Detailed paths

      +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + ncurses/ncurses-base@6.3-2ubuntu0.1 + + -
    -

    Double Free

    +

    Resource Exhaustion

    @@ -3090,12 +3252,12 @@

    Double Free

  • Vulnerable module: - patch + libzstd/libzstd1
  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 and patch@2.7.6-7build2 + docker-image|quay.io/argoproj/argocd@v2.8.18 and libzstd/libzstd1@1.4.8+dfsg-3build1
    • @@ -3110,7 +3272,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.8.18 - patch@2.7.6-7build2 + libzstd/libzstd1@1.4.8+dfsg-3build1 @@ -3122,31 +3284,33 @@

    Detailed paths

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream patch package and not the patch package as distributed by Ubuntu. +

    Note: Versions mentioned in the description apply only to the upstream libzstd package and not the libzstd package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6.

    +

    A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 patch.

    +

    There is no fixed version for Ubuntu:22.04 libzstd.

    References

    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    CVE-2023-50495

    +

    Integer Overflow or Wraparound

    @@ -3165,12 +3329,12 @@

    CVE-2023-50495

  • Vulnerable module: - ncurses/libtinfo6 + krb5/libk5crypto3
  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 and ncurses/libtinfo6@6.3-2ubuntu0.1 + docker-image|quay.io/argoproj/argocd@v2.8.18 and krb5/libk5crypto3@1.19.2-2ubuntu0.3
    • @@ -3185,7 +3349,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.8.18 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -3194,31 +3358,19 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.8.18 - bash@5.1-6ubuntu1.1 + adduser@3.118ubuntu5 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 + shadow/passwd@1:4.8.1-2ubuntu2.2 - ncurses/libncursesw6@6.3-2ubuntu0.1 + pam/libpam-modules@1.4.0-11ubuntu2.4 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 + libnsl/libnsl2@1.3.0-2build2 - less@590-1ubuntu0.22.04.3 + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + + krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -3227,42 +3379,21 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.8.18 - libedit/libedit2@3.1-20210910-1build1 + adduser@3.118ubuntu5 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 + shadow/passwd@1:4.8.1-2ubuntu2.2 - ncurses/libncurses6@6.3-2ubuntu0.1 + pam/libpam-modules@1.4.0-11ubuntu2.4 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 + libnsl/libnsl2@1.3.0-2build2 - ncurses/ncurses-bin@6.3-2ubuntu0.1 + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - procps@2:3.3.17-6ubuntu2.1 + krb5/libkrb5-3@1.19.2-2ubuntu0.3 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -3271,9 +3402,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.8.18 - util-linux@2.37.2-4ubuntu3.4 - - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libkrb5-3@1.19.2-2ubuntu0.3 @@ -3282,28 +3411,19 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.8.18 - gnupg2/gpg@2.2.27-3ubuntu2.1 - - gnupg2/gpgconf@2.2.27-3ubuntu2.1 + adduser@3.118ubuntu5 - readline/libreadline8@8.1.2-1 + shadow/passwd@1:4.8.1-2ubuntu2.2 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 + pam/libpam-modules@1.4.0-11ubuntu2.4 - gnupg2/gnupg@2.2.27-3ubuntu2.1 + libnsl/libnsl2@1.3.0-2build2 - gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - pinentry/pinentry-curses@1.1.1-1build2 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libkrb5-3@1.19.2-2ubuntu0.3 @@ -3312,7 +3432,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.8.18 - ncurses/libncursesw6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3321,9 +3441,9 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.8.18 - procps@2:3.3.17-6ubuntu2.1 + openssh/openssh-client@1:8.9p1-3ubuntu0.7 - ncurses/libncursesw6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3332,13 +3452,11 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.8.18 - gnupg2/gnupg@2.2.27-3ubuntu2.1 - - gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + git@1:2.34.1-1ubuntu1.10 - pinentry/pinentry-curses@1.1.1-1build2 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - ncurses/libncursesw6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3347,18 +3465,13 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.8.18 - ncurses/libncurses6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 + git@1:2.34.1-1ubuntu1.10 - procps@2:3.3.17-6ubuntu2.1 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - ncurses/libncurses6@6.3-2ubuntu0.1 + libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3367,7 +3480,17 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.8.18 - ncurses/ncurses-base@6.3-2ubuntu0.1 + adduser@3.118ubuntu5 + + shadow/passwd@1:4.8.1-2ubuntu2.2 + + pam/libpam-modules@1.4.0-11ubuntu2.4 + + libnsl/libnsl2@1.3.0-2build2 + + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3376,7 +3499,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.8.18 - ncurses/ncurses-bin@6.3-2ubuntu0.1 + krb5/libkrb5support0@1.19.2-2ubuntu0.3 @@ -3388,29 +3511,30 @@

    Detailed paths

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Ubuntu. +

    Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().

    +

    An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 ncurses.

    -

    References

    -
    • -

    CVE-2023-45918

    +

    CVE-2024-26461

    @@ -3429,12 +3553,12 @@

    CVE-2023-45918

  • Vulnerable module: - ncurses/libtinfo6 + krb5/libk5crypto3
  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 and ncurses/libtinfo6@6.3-2ubuntu0.1 + docker-image|quay.io/argoproj/argocd@v2.8.18 and krb5/libk5crypto3@1.19.2-2ubuntu0.3
    • @@ -3449,7 +3573,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.8.18 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -3458,31 +3582,19 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.8.18 - bash@5.1-6ubuntu1.1 + adduser@3.118ubuntu5 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 + shadow/passwd@1:4.8.1-2ubuntu2.2 - ncurses/libncursesw6@6.3-2ubuntu0.1 + pam/libpam-modules@1.4.0-11ubuntu2.4 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 + libnsl/libnsl2@1.3.0-2build2 - less@590-1ubuntu0.22.04.3 + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + + krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -3491,42 +3603,21 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.8.18 - libedit/libedit2@3.1-20210910-1build1 + adduser@3.118ubuntu5 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 + shadow/passwd@1:4.8.1-2ubuntu2.2 - ncurses/libncurses6@6.3-2ubuntu0.1 + pam/libpam-modules@1.4.0-11ubuntu2.4 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 + libnsl/libnsl2@1.3.0-2build2 - ncurses/ncurses-bin@6.3-2ubuntu0.1 + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - procps@2:3.3.17-6ubuntu2.1 + krb5/libkrb5-3@1.19.2-2ubuntu0.3 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -3535,9 +3626,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.8.18 - util-linux@2.37.2-4ubuntu3.4 - - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libkrb5-3@1.19.2-2ubuntu0.3 @@ -3546,28 +3635,19 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.8.18 - gnupg2/gpg@2.2.27-3ubuntu2.1 - - gnupg2/gpgconf@2.2.27-3ubuntu2.1 + adduser@3.118ubuntu5 - readline/libreadline8@8.1.2-1 + shadow/passwd@1:4.8.1-2ubuntu2.2 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 + pam/libpam-modules@1.4.0-11ubuntu2.4 - gnupg2/gnupg@2.2.27-3ubuntu2.1 + libnsl/libnsl2@1.3.0-2build2 - gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - pinentry/pinentry-curses@1.1.1-1build2 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libkrb5-3@1.19.2-2ubuntu0.3 @@ -3576,7 +3656,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.8.18 - ncurses/libncursesw6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3585,9 +3665,9 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.8.18 - procps@2:3.3.17-6ubuntu2.1 + openssh/openssh-client@1:8.9p1-3ubuntu0.7 - ncurses/libncursesw6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3596,13 +3676,11 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.8.18 - gnupg2/gnupg@2.2.27-3ubuntu2.1 - - gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + git@1:2.34.1-1ubuntu1.10 - pinentry/pinentry-curses@1.1.1-1build2 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - ncurses/libncursesw6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3611,27 +3689,13 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.8.18 - ncurses/libncurses6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 + git@1:2.34.1-1ubuntu1.10 - procps@2:3.3.17-6ubuntu2.1 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - ncurses/libncurses6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 + libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 - ncurses/ncurses-base@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3640,78 +3704,26 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.8.18 - ncurses/ncurses-bin@6.3-2ubuntu0.1 + adduser@3.118ubuntu5 + + shadow/passwd@1:4.8.1-2ubuntu2.2 + + pam/libpam-modules@1.4.0-11ubuntu2.4 + + libnsl/libnsl2@1.3.0-2build2 + + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3
    • - - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Ubuntu. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 ncurses.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Resource Exhaustion

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.8.18/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:22.04 -
      • -
    • - Vulnerable module: - - libzstd/libzstd1 -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v2.8.18 and libzstd/libzstd1@1.4.8+dfsg-3build1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
    -

    Integer Overflow or Wraparound

    +

    CVE-2024-26458

    @@ -3952,23 +3958,20 @@

    Detailed paths

    NVD Description

    Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.

    +

    Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.

    Remediation

    There is no fixed version for Ubuntu:22.04 krb5.

    References

    -

    More about this vulnerability

    +

    More about this vulnerability

    diff --git a/docs/snyk/v2.8.18/redis_7.0.15-alpine.html b/docs/snyk/v2.8.18/redis_7.0.15-alpine.html index e7558103882c2..5a9e619702ce8 100644 --- a/docs/snyk/v2.8.18/redis_7.0.15-alpine.html +++ b/docs/snyk/v2.8.18/redis_7.0.15-alpine.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:25:30 am (UTC+00:00)

    +

    May 19th 2024, 12:25:25 am (UTC+00:00)

    Scanned the following paths: @@ -467,8 +467,8 @@

    Snyk test report

    -
    1 known vulnerabilities
    -
    9 vulnerable dependency paths
    +
    0 known vulnerabilities
    +
    0 vulnerable dependency paths
    19 dependencies
    @@ -476,182 +476,7 @@

    Snyk test report

    -
    -
    -

    CVE-2024-2511

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Package Manager: alpine:3.19 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|redis@7.0.15-alpine and openssl/libcrypto3@3.1.4-r5 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - openssl/libcrypto3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - .redis-rundeps@20240315.235535 - - openssl/libcrypto3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - apk-tools/apk-tools@2.14.0-r5 - - openssl/libcrypto3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - busybox/ssl_client@1.36.1-r15 - - openssl/libcrypto3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - .redis-rundeps@20240315.235535 - - openssl/libssl3@3.1.4-r5 - - openssl/libcrypto3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - openssl/libssl3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - .redis-rundeps@20240315.235535 - - openssl/libssl3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - apk-tools/apk-tools@2.14.0-r5 - - openssl/libssl3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - busybox/ssl_client@1.36.1-r15 - - openssl/libssl3@3.1.4-r5 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. - See How to fix? for Alpine:3.19 relevant fixed versions and status.

    -

    Issue summary: Some non-default TLS server configurations can cause unbounded - memory growth when processing TLSv1.3 sessions

    -

    Impact summary: An attacker may exploit certain server configurations to trigger - unbounded memory growth that would lead to a Denial of Service

    -

    This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is - being used (but not if early_data support is also configured and the default - anti-replay protection is in use). In this case, under certain conditions, the - session cache can get into an incorrect state and it will fail to flush properly - as it fills. The session cache will continue to grow in an unbounded manner. A - malicious client could deliberately create the scenario for this failure to - force a Denial of Service. It may also happen by accident in normal operation.

    -

    This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS - clients.

    -

    The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL - 1.0.2 is also not affected by this issue.

    -

    Remediation

    -

    Upgrade Alpine:3.19 openssl to version 3.1.4-r6 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    + No known vulnerabilities detected.
    diff --git a/docs/snyk/v2.9.14/argocd-iac-install.html b/docs/snyk/v2.9.14/argocd-iac-install.html index 71ba1d44dc046..9240800256648 100644 --- a/docs/snyk/v2.9.14/argocd-iac-install.html +++ b/docs/snyk/v2.9.14/argocd-iac-install.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:24:34 am (UTC+00:00)

    +

    May 19th 2024, 12:24:26 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v2.9.14/argocd-iac-namespace-install.html b/docs/snyk/v2.9.14/argocd-iac-namespace-install.html index 7e387eff00008..efaa9ba6c1475 100644 --- a/docs/snyk/v2.9.14/argocd-iac-namespace-install.html +++ b/docs/snyk/v2.9.14/argocd-iac-namespace-install.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:24:42 am (UTC+00:00)

    +

    May 19th 2024, 12:24:37 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v2.9.14/argocd-test.html b/docs/snyk/v2.9.14/argocd-test.html index ac27e76eb2bb4..1bc460a6a41fc 100644 --- a/docs/snyk/v2.9.14/argocd-test.html +++ b/docs/snyk/v2.9.14/argocd-test.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:22:50 am (UTC+00:00)

    +

    May 19th 2024, 12:22:37 am (UTC+00:00)

    Scanned the following paths: diff --git a/docs/snyk/v2.9.14/ghcr.io_dexidp_dex_v2.37.0.html b/docs/snyk/v2.9.14/ghcr.io_dexidp_dex_v2.37.0.html index 1cfb5dfc53be9..bfd1c07ea5b8b 100644 --- a/docs/snyk/v2.9.14/ghcr.io_dexidp_dex_v2.37.0.html +++ b/docs/snyk/v2.9.14/ghcr.io_dexidp_dex_v2.37.0.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:22:55 am (UTC+00:00)

    +

    May 19th 2024, 12:22:45 am (UTC+00:00)

    Scanned the following paths: diff --git a/docs/snyk/v2.9.14/haproxy_2.6.14-alpine.html b/docs/snyk/v2.9.14/haproxy_2.6.14-alpine.html index afe6b309d4cd5..f068ccbedb254 100644 --- a/docs/snyk/v2.9.14/haproxy_2.6.14-alpine.html +++ b/docs/snyk/v2.9.14/haproxy_2.6.14-alpine.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:22:59 am (UTC+00:00)

    +

    May 19th 2024, 12:22:49 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v2.9.14/quay.io_argoproj_argocd_v2.9.14.html b/docs/snyk/v2.9.14/quay.io_argoproj_argocd_v2.9.14.html index 926cbb1519c53..506e20fb2785a 100644 --- a/docs/snyk/v2.9.14/quay.io_argoproj_argocd_v2.9.14.html +++ b/docs/snyk/v2.9.14/quay.io_argoproj_argocd_v2.9.14.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:23:16 am (UTC+00:00)

    +

    May 19th 2024, 12:23:08 am (UTC+00:00)

    Scanned the following paths: @@ -932,7 +932,7 @@

    References

    -

    CVE-2024-26461

    +

    CVE-2024-26462

    @@ -1135,24 +1135,25 @@

    Detailed paths

    NVD Description

    Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.

    +

    Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.

    Remediation

    There is no fixed version for Ubuntu:22.04 krb5.

    References

    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    CVE-2024-26462

    +

    LGPL-3.0 license

    @@ -1163,20 +1164,20 @@

    CVE-2024-26462

    • - Manifest file: quay.io/argoproj/argocd:v2.9.14/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.9.14/argoproj/argo-cd/v2 /usr/local/bin/argocd
    • - Package Manager: ubuntu:22.04 + Package Manager: golang
    • - Vulnerable module: + Module: - krb5/libk5crypto3 + gopkg.in/retry.v1
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 and krb5/libk5crypto3@1.19.2-2ubuntu0.3 + github.com/argoproj/argo-cd/v2@* and gopkg.in/retry.v1@v1.0.3
    @@ -1189,159 +1190,69 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 + github.com/argoproj/argo-cd/v2@* - krb5/libk5crypto3@1.19.2-2ubuntu0.3 + gopkg.in/retry.v1@v1.0.3
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libk5crypto3@1.19.2-2ubuntu0.3 - - +
    - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - krb5/libk5crypto3@1.19.2-2ubuntu0.3 - - +
    • - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - +
    + +

    LGPL-3.0 license

    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - +
    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - +
    +

    More about this vulnerability

    +
    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 - - openssh/openssh-client@1:8.9p1-3ubuntu0.7 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - +
    • +
    +

    Infinite loop

    +
    - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 - - git@1:2.34.1-1ubuntu1.10 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - +
    + medium severity +
    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 - - git@1:2.34.1-1ubuntu1.10 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - - libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - +
    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - +
      +
    • + Manifest file: quay.io/argoproj/argocd:v2.9.14/argoproj/argo-cd/v2 /usr/local/bin/argocd +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: -
      • + google.golang.org/protobuf/internal/encoding/json + + +
    • Introduced through: + + github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/internal/encoding/json@v1.31.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 + github.com/argoproj/argo-cd/v2@* - krb5/libkrb5support0@1.19.2-2ubuntu0.3 + google.golang.org/protobuf/internal/encoding/json@v1.31.0 @@ -1352,27 +1263,28 @@

      Detailed paths

      -

      NVD Description

      -

      Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

      -

      Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.

      +

      Overview

      +

      Affected versions of this package are vulnerable to Infinite loop via the protojson.Unmarshal function. An attacker can cause a denial of service condition by unmarshaling certain forms of invalid JSON.

      +

      Note:

      +

      This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

      Remediation

      -

      There is no fixed version for Ubuntu:22.04 krb5.

      +

      Upgrade google.golang.org/protobuf/internal/encoding/json to version 1.33.0 or higher.

      References

      -

      More about this vulnerability

      +

      More about this vulnerability

    • -

    CVE-2024-26458

    +

    Stack-based Buffer Overflow

    @@ -1383,20 +1295,20 @@

    CVE-2024-26458

    • - Manifest file: quay.io/argoproj/argocd:v2.9.14/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.9.14/argoproj/argo-cd/v2 /usr/local/bin/argocd
    • - Package Manager: ubuntu:22.04 + Package Manager: golang
    • Vulnerable module: - krb5/libk5crypto3 + google.golang.org/protobuf/encoding/protojson
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 and krb5/libk5crypto3@1.19.2-2ubuntu0.3 + github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/encoding/protojson@v1.31.0
    @@ -1409,190 +1321,38 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 + github.com/argoproj/argo-cd/v2@* - krb5/libk5crypto3@1.19.2-2ubuntu0.3 + google.golang.org/protobuf/encoding/protojson@v1.31.0
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libk5crypto3@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - krb5/libk5crypto3@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 - - openssh/openssh-client@1:8.9p1-3ubuntu0.7 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 - - git@1:2.34.1-1ubuntu1.10 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 - - git@1:2.34.1-1ubuntu1.10 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - - libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 - - krb5/libkrb5support0@1.19.2-2ubuntu0.3 - - - -
      • -
    +
    -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.

    +

    Overview

    +

    Affected versions of this package are vulnerable to Stack-based Buffer Overflow when processing input that uses pathologically deep nesting.

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 krb5.

    +

    Upgrade google.golang.org/protobuf/encoding/protojson to version 1.32.0 or higher.

    References

    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    LGPL-3.0 license

    +

    Infinite loop

    @@ -1609,14 +1369,14 @@

    LGPL-3.0 license

    Package Manager: golang
  • - Module: + Vulnerable module: - gopkg.in/retry.v1 + google.golang.org/protobuf/encoding/protojson
  • Introduced through: - github.com/argoproj/argo-cd/v2@* and gopkg.in/retry.v1@v1.0.3 + github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/encoding/protojson@v1.31.0
    • @@ -1631,7 +1391,7 @@

    Detailed paths

    Introduced through: github.com/argoproj/argo-cd/v2@* - gopkg.in/retry.v1@v1.0.3 + google.golang.org/protobuf/encoding/protojson@v1.31.0 @@ -1642,17 +1402,28 @@

    Detailed paths

    -

    LGPL-3.0 license

    +

    Overview

    +

    Affected versions of this package are vulnerable to Infinite loop via the protojson.Unmarshal function. An attacker can cause a denial of service condition by unmarshaling certain forms of invalid JSON.

    +

    Note:

    +

    This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

    +

    Remediation

    +

    Upgrade google.golang.org/protobuf/encoding/protojson to version 1.33.0 or higher.

    +

    References

    +
    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    Infinite loop

    +

    Authentication Bypass by Capture-replay

    @@ -1671,12 +1442,12 @@

    Infinite loop

  • Vulnerable module: - google.golang.org/protobuf/internal/encoding/json + golang.org/x/crypto/ssh
  • Introduced through: - github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/internal/encoding/json@v1.31.0 + github.com/argoproj/argo-cd/v2@* and golang.org/x/crypto/ssh@v0.16.0
    • @@ -1691,7 +1462,7 @@

    Detailed paths

    Introduced through: github.com/argoproj/argo-cd/v2@* - google.golang.org/protobuf/internal/encoding/json@v1.31.0 + golang.org/x/crypto/ssh@v0.16.0 @@ -1703,27 +1474,54 @@

    Detailed paths

    Overview

    -

    Affected versions of this package are vulnerable to Infinite loop via the protojson.Unmarshal function. An attacker can cause a denial of service condition by unmarshaling certain forms of invalid JSON.

    +

    golang.org/x/crypto/ssh is a SSH client and server

    +

    Affected versions of this package are vulnerable to Authentication Bypass by Capture-replay during the establishment of the secure channel. An attacker can manipulate handshake sequence numbers to delete messages sent immediately after the channel is established.

    Note:

    -

    This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

    +
      +

    1. Sequence numbers are only validated once the channel is established and arbitrary messages are allowed during the handshake, allowing them to manipulate the sequence numbers.

      +
      2. +

    2. The potential consequences of the general Terrapin attack are dependent on the messages exchanged after the handshake concludes. If you are using a custom SSH service and do not resort to the authentication protocol, you should check that dropping the first few messages of a connection does not yield security risks.

      +
      3. +
    +

    Impact:

    +

    While cryptographically novel, there is no discernable impact on the integrity of SSH traffic beyond giving the attacker the ability to delete the message that enables some features related to keystroke timing obfuscation. To successfully carry out the exploitation, the connection needs to be protected using either the ChaCha20-Poly1305 or CBC with Encrypt-then-MAC encryption methods. The attacker must also be able to intercept and modify the connection's traffic.

    +

    Workaround

    +

    Temporarily disable the affected chacha20-poly1305@openssh.com encryption and *-etm@openssh.com MAC algorithms in the affected configuration, and use unaffected algorithms like AES-GCM instead.

    Remediation

    -

    Upgrade google.golang.org/protobuf/internal/encoding/json to version 1.33.0 or higher.

    +

    Upgrade golang.org/x/crypto/ssh to version 0.17.0 or higher.

    References

    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    Stack-based Buffer Overflow

    +

    MPL-2.0 license

    @@ -1740,14 +1538,14 @@

    Stack-based Buffer Overflow

    Package Manager: golang
  • - Vulnerable module: + Module: - google.golang.org/protobuf/encoding/protojson + github.com/r3labs/diff
  • Introduced through: - github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/encoding/protojson@v1.31.0 + github.com/argoproj/argo-cd/v2@* and github.com/r3labs/diff@v1.1.0
    • @@ -1762,7 +1560,7 @@

    Detailed paths

    Introduced through: github.com/argoproj/argo-cd/v2@* - google.golang.org/protobuf/encoding/protojson@v1.31.0 + github.com/r3labs/diff@v1.1.0 @@ -1773,25 +1571,17 @@

    Detailed paths

    -

    Overview

    -

    Affected versions of this package are vulnerable to Stack-based Buffer Overflow when processing input that uses pathologically deep nesting.

    -

    Remediation

    -

    Upgrade google.golang.org/protobuf/encoding/protojson to version 1.32.0 or higher.

    -

    References

    - +

    MPL-2.0 license

    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    Infinite loop

    +

    MPL-2.0 license

    @@ -1808,14 +1598,14 @@

    Infinite loop

    Package Manager: golang
  • - Vulnerable module: + Module: - google.golang.org/protobuf/encoding/protojson + github.com/hashicorp/go-version
  • Introduced through: - github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/encoding/protojson@v1.31.0 + github.com/argoproj/argo-cd/v2@* and github.com/hashicorp/go-version@v1.2.1
    • @@ -1830,236 +1620,7 @@

    Detailed paths

    Introduced through: github.com/argoproj/argo-cd/v2@* - google.golang.org/protobuf/encoding/protojson@v1.31.0 - - - - - - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Infinite loop via the protojson.Unmarshal function. An attacker can cause a denial of service condition by unmarshaling certain forms of invalid JSON.

    -

    Note:

    -

    This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

    -

    Remediation

    -

    Upgrade google.golang.org/protobuf/encoding/protojson to version 1.33.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Authentication Bypass by Capture-replay

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.9.14/argoproj/argo-cd/v2 /usr/local/bin/argocd -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/crypto/ssh -
      • - -
    • Introduced through: - - github.com/argoproj/argo-cd/v2@* and golang.org/x/crypto/ssh@v0.16.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/argoproj/argo-cd/v2@* - - golang.org/x/crypto/ssh@v0.16.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    golang.org/x/crypto/ssh is a SSH client and server

    -

    Affected versions of this package are vulnerable to Authentication Bypass by Capture-replay during the establishment of the secure channel. An attacker can manipulate handshake sequence numbers to delete messages sent immediately after the channel is established.

    -

    Note:

    -
      -

    1. Sequence numbers are only validated once the channel is established and arbitrary messages are allowed during the handshake, allowing them to manipulate the sequence numbers.

      -
      2. -

    2. The potential consequences of the general Terrapin attack are dependent on the messages exchanged after the handshake concludes. If you are using a custom SSH service and do not resort to the authentication protocol, you should check that dropping the first few messages of a connection does not yield security risks.

      -
      3. -
    -

    Impact:

    -

    While cryptographically novel, there is no discernable impact on the integrity of SSH traffic beyond giving the attacker the ability to delete the message that enables some features related to keystroke timing obfuscation. To successfully carry out the exploitation, the connection needs to be protected using either the ChaCha20-Poly1305 or CBC with Encrypt-then-MAC encryption methods. The attacker must also be able to intercept and modify the connection's traffic.

    -

    Workaround

    -

    Temporarily disable the affected chacha20-poly1305@openssh.com encryption and *-etm@openssh.com MAC algorithms in the affected configuration, and use unaffected algorithms like AES-GCM instead.

    -

    Remediation

    -

    Upgrade golang.org/x/crypto/ssh to version 0.17.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    MPL-2.0 license

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.9.14/argoproj/argo-cd/v2 /usr/local/bin/argocd -
      • -
    • - Package Manager: golang -
      • -
    • - Module: - - github.com/r3labs/diff -
      • - -
    • Introduced through: - - github.com/argoproj/argo-cd/v2@* and github.com/r3labs/diff@v1.1.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/argoproj/argo-cd/v2@* - - github.com/r3labs/diff@v1.1.0 - - - -
      • -
    - -
    - -
    - -

    MPL-2.0 license

    - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    MPL-2.0 license

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.9.14/argoproj/argo-cd/v2 /usr/local/bin/argocd -
      • -
    • - Package Manager: golang -
      • -
    • - Module: - - github.com/hashicorp/go-version -
      • - -
    • Introduced through: - - github.com/argoproj/argo-cd/v2@* and github.com/hashicorp/go-version@v1.2.1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/argoproj/argo-cd/v2@* - - github.com/hashicorp/go-version@v1.2.1 + github.com/hashicorp/go-version@v1.2.1 @@ -2784,20 +2345,620 @@

      Release of Invalid Pointer or Reference

      docker-image|quay.io/argoproj/argocd@v2.9.14 and patch@2.7.6-7build2 -
      • -
    + + + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + patch@2.7.6-7build2 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream patch package and not the patch package as distributed by Ubuntu. + See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    +

    An Invalid Pointer vulnerability exists in GNU patch 2.7 via the another_hunk function, which causes a Denial of Service.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:22.04 patch.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Double Free

    +
    + +
    + low severity +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v2.9.14/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:22.04 +
      • +
    • + Vulnerable module: + + patch +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v2.9.14 and patch@2.7.6-7build2 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + patch@2.7.6-7build2 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream patch package and not the patch package as distributed by Ubuntu. + See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    +

    A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:22.04 patch.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2023-50495

    +
    + +
    + low severity +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v2.9.14/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:22.04 +
      • +
    • + Vulnerable module: + + ncurses/libtinfo6 +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v2.9.14 and ncurses/libtinfo6@6.3-2ubuntu0.1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + bash@5.1-6ubuntu1.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + less@590-1ubuntu0.22.04.3 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + libedit/libedit2@3.1-20210910-1build1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + ncurses/libncurses6@6.3-2ubuntu0.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + ncurses/ncurses-bin@6.3-2ubuntu0.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + procps@2:3.3.17-6ubuntu2.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + util-linux@2.37.2-4ubuntu3.4 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + gnupg2/gpg@2.2.27-3ubuntu2.1 + + gnupg2/gpgconf@2.2.27-3ubuntu2.1 + + readline/libreadline8@8.1.2-1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + + pinentry/pinentry-curses@1.1.1-1build2 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + procps@2:3.3.17-6ubuntu2.1 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + + pinentry/pinentry-curses@1.1.1-1build2 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + ncurses/libncurses6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + procps@2:3.3.17-6ubuntu2.1 + + ncurses/libncurses6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + ncurses/ncurses-base@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + ncurses/ncurses-bin@6.3-2ubuntu0.1 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Ubuntu. + See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    +

    NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().

    +

    Remediation

    +

    There is no fixed version for Ubuntu:22.04 ncurses.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2023-45918

    +
    + +
    + low severity +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v2.9.14/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:22.04 +
      • +
    • + Vulnerable module: + + ncurses/libtinfo6 +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v2.9.14 and ncurses/libtinfo6@6.3-2ubuntu0.1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + bash@5.1-6ubuntu1.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + less@590-1ubuntu0.22.04.3 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + libedit/libedit2@3.1-20210910-1build1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + ncurses/libncurses6@6.3-2ubuntu0.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + ncurses/ncurses-bin@6.3-2ubuntu0.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + procps@2:3.3.17-6ubuntu2.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + util-linux@2.37.2-4ubuntu3.4 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + gnupg2/gpg@2.2.27-3ubuntu2.1 + + gnupg2/gpgconf@2.2.27-3ubuntu2.1 + + readline/libreadline8@8.1.2-1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + + pinentry/pinentry-curses@1.1.1-1build2 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + procps@2:3.3.17-6ubuntu2.1 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + + pinentry/pinentry-curses@1.1.1-1build2 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + -
      +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + ncurses/libncurses6@6.3-2ubuntu0.1 + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + procps@2:3.3.17-6ubuntu2.1 + + ncurses/libncurses6@6.3-2ubuntu0.1 + + -

      Detailed paths

      +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + ncurses/ncurses-base@6.3-2ubuntu0.1 + + -
    -

    Double Free

    +

    Resource Exhaustion

    @@ -2847,12 +3009,12 @@

    Double Free

  • Vulnerable module: - patch + libzstd/libzstd1
  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 and patch@2.7.6-7build2 + docker-image|quay.io/argoproj/argocd@v2.9.14 and libzstd/libzstd1@1.4.8+dfsg-3build1
    • @@ -2867,7 +3029,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.9.14 - patch@2.7.6-7build2 + libzstd/libzstd1@1.4.8+dfsg-3build1 @@ -2879,31 +3041,33 @@

    Detailed paths

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream patch package and not the patch package as distributed by Ubuntu. +

    Note: Versions mentioned in the description apply only to the upstream libzstd package and not the libzstd package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6.

    +

    A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 patch.

    +

    There is no fixed version for Ubuntu:22.04 libzstd.

    References

    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    CVE-2023-50495

    +

    Integer Overflow or Wraparound

    @@ -2922,12 +3086,12 @@

    CVE-2023-50495

  • Vulnerable module: - ncurses/libtinfo6 + krb5/libk5crypto3
  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 and ncurses/libtinfo6@6.3-2ubuntu0.1 + docker-image|quay.io/argoproj/argocd@v2.9.14 and krb5/libk5crypto3@1.19.2-2ubuntu0.3
    • @@ -2942,7 +3106,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.9.14 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -2951,31 +3115,19 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.9.14 - bash@5.1-6ubuntu1.1 + adduser@3.118ubuntu5 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 + shadow/passwd@1:4.8.1-2ubuntu2.2 - ncurses/libncursesw6@6.3-2ubuntu0.1 + pam/libpam-modules@1.4.0-11ubuntu2.4 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 + libnsl/libnsl2@1.3.0-2build2 - less@590-1ubuntu0.22.04.3 + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + + krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -2984,42 +3136,21 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.9.14 - libedit/libedit2@3.1-20210910-1build1 + adduser@3.118ubuntu5 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 + shadow/passwd@1:4.8.1-2ubuntu2.2 - ncurses/libncurses6@6.3-2ubuntu0.1 + pam/libpam-modules@1.4.0-11ubuntu2.4 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 + libnsl/libnsl2@1.3.0-2build2 - ncurses/ncurses-bin@6.3-2ubuntu0.1 + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - procps@2:3.3.17-6ubuntu2.1 + krb5/libkrb5-3@1.19.2-2ubuntu0.3 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -3028,9 +3159,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.9.14 - util-linux@2.37.2-4ubuntu3.4 - - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libkrb5-3@1.19.2-2ubuntu0.3 @@ -3039,28 +3168,19 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.9.14 - gnupg2/gpg@2.2.27-3ubuntu2.1 - - gnupg2/gpgconf@2.2.27-3ubuntu2.1 + adduser@3.118ubuntu5 - readline/libreadline8@8.1.2-1 + shadow/passwd@1:4.8.1-2ubuntu2.2 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 + pam/libpam-modules@1.4.0-11ubuntu2.4 - gnupg2/gnupg@2.2.27-3ubuntu2.1 + libnsl/libnsl2@1.3.0-2build2 - gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - pinentry/pinentry-curses@1.1.1-1build2 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libkrb5-3@1.19.2-2ubuntu0.3 @@ -3069,7 +3189,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.9.14 - ncurses/libncursesw6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3078,9 +3198,9 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.9.14 - procps@2:3.3.17-6ubuntu2.1 + openssh/openssh-client@1:8.9p1-3ubuntu0.7 - ncurses/libncursesw6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3089,13 +3209,11 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.9.14 - gnupg2/gnupg@2.2.27-3ubuntu2.1 - - gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + git@1:2.34.1-1ubuntu1.10 - pinentry/pinentry-curses@1.1.1-1build2 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - ncurses/libncursesw6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3104,18 +3222,13 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.9.14 - ncurses/libncurses6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 + git@1:2.34.1-1ubuntu1.10 - procps@2:3.3.17-6ubuntu2.1 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - ncurses/libncurses6@6.3-2ubuntu0.1 + libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3124,7 +3237,17 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.9.14 - ncurses/ncurses-base@6.3-2ubuntu0.1 + adduser@3.118ubuntu5 + + shadow/passwd@1:4.8.1-2ubuntu2.2 + + pam/libpam-modules@1.4.0-11ubuntu2.4 + + libnsl/libnsl2@1.3.0-2build2 + + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3133,7 +3256,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.9.14 - ncurses/ncurses-bin@6.3-2ubuntu0.1 + krb5/libkrb5support0@1.19.2-2ubuntu0.3 @@ -3145,29 +3268,30 @@

    Detailed paths

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Ubuntu. +

    Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().

    +

    An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 ncurses.

    -

    References

    -
    • -

    CVE-2023-45918

    +

    CVE-2024-26461

    @@ -3186,12 +3310,12 @@

    CVE-2023-45918

  • Vulnerable module: - ncurses/libtinfo6 + krb5/libk5crypto3
  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 and ncurses/libtinfo6@6.3-2ubuntu0.1 + docker-image|quay.io/argoproj/argocd@v2.9.14 and krb5/libk5crypto3@1.19.2-2ubuntu0.3
    • @@ -3206,7 +3330,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.9.14 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -3215,31 +3339,19 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.9.14 - bash@5.1-6ubuntu1.1 + adduser@3.118ubuntu5 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 + shadow/passwd@1:4.8.1-2ubuntu2.2 - ncurses/libncursesw6@6.3-2ubuntu0.1 + pam/libpam-modules@1.4.0-11ubuntu2.4 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 + libnsl/libnsl2@1.3.0-2build2 - less@590-1ubuntu0.22.04.3 + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + + krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -3248,42 +3360,21 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.9.14 - libedit/libedit2@3.1-20210910-1build1 + adduser@3.118ubuntu5 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 + shadow/passwd@1:4.8.1-2ubuntu2.2 - ncurses/libncurses6@6.3-2ubuntu0.1 + pam/libpam-modules@1.4.0-11ubuntu2.4 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 + libnsl/libnsl2@1.3.0-2build2 - ncurses/ncurses-bin@6.3-2ubuntu0.1 + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - procps@2:3.3.17-6ubuntu2.1 + krb5/libkrb5-3@1.19.2-2ubuntu0.3 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -3292,9 +3383,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.9.14 - util-linux@2.37.2-4ubuntu3.4 - - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libkrb5-3@1.19.2-2ubuntu0.3 @@ -3303,28 +3392,19 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.9.14 - gnupg2/gpg@2.2.27-3ubuntu2.1 - - gnupg2/gpgconf@2.2.27-3ubuntu2.1 + adduser@3.118ubuntu5 - readline/libreadline8@8.1.2-1 + shadow/passwd@1:4.8.1-2ubuntu2.2 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 + pam/libpam-modules@1.4.0-11ubuntu2.4 - gnupg2/gnupg@2.2.27-3ubuntu2.1 + libnsl/libnsl2@1.3.0-2build2 - gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - pinentry/pinentry-curses@1.1.1-1build2 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libkrb5-3@1.19.2-2ubuntu0.3 @@ -3333,7 +3413,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.9.14 - ncurses/libncursesw6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3342,9 +3422,9 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.9.14 - procps@2:3.3.17-6ubuntu2.1 + openssh/openssh-client@1:8.9p1-3ubuntu0.7 - ncurses/libncursesw6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3353,13 +3433,11 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.9.14 - gnupg2/gnupg@2.2.27-3ubuntu2.1 - - gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + git@1:2.34.1-1ubuntu1.10 - pinentry/pinentry-curses@1.1.1-1build2 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - ncurses/libncursesw6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3368,27 +3446,13 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.9.14 - ncurses/libncurses6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 + git@1:2.34.1-1ubuntu1.10 - procps@2:3.3.17-6ubuntu2.1 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - ncurses/libncurses6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 + libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 - ncurses/ncurses-base@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3397,78 +3461,26 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.9.14 - ncurses/ncurses-bin@6.3-2ubuntu0.1 + adduser@3.118ubuntu5 + + shadow/passwd@1:4.8.1-2ubuntu2.2 + + pam/libpam-modules@1.4.0-11ubuntu2.4 + + libnsl/libnsl2@1.3.0-2build2 + + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3
    • - - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Ubuntu. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 ncurses.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Resource Exhaustion

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.9.14/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:22.04 -
      • -
    • - Vulnerable module: - - libzstd/libzstd1 -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v2.9.14 and libzstd/libzstd1@1.4.8+dfsg-3build1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
    -

    Integer Overflow or Wraparound

    +

    CVE-2024-26458

    @@ -3709,23 +3715,20 @@

    Detailed paths

    NVD Description

    Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.

    +

    Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.

    Remediation

    There is no fixed version for Ubuntu:22.04 krb5.

    References

    -

    More about this vulnerability

    +

    More about this vulnerability

    diff --git a/docs/snyk/v2.9.14/redis_7.0.15-alpine.html b/docs/snyk/v2.9.14/redis_7.0.15-alpine.html index 3014ba8d24800..ed7cecdccf07a 100644 --- a/docs/snyk/v2.9.14/redis_7.0.15-alpine.html +++ b/docs/snyk/v2.9.14/redis_7.0.15-alpine.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:23:20 am (UTC+00:00)

    +

    May 19th 2024, 12:23:12 am (UTC+00:00)

    Scanned the following paths: @@ -467,8 +467,8 @@

    Snyk test report

    -
    1 known vulnerabilities
    -
    9 vulnerable dependency paths
    +
    0 known vulnerabilities
    +
    0 vulnerable dependency paths
    19 dependencies
    @@ -476,182 +476,7 @@

    Snyk test report

    -
    -
    -

    CVE-2024-2511

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Package Manager: alpine:3.19 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|redis@7.0.15-alpine and openssl/libcrypto3@3.1.4-r5 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - openssl/libcrypto3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - .redis-rundeps@20240315.235535 - - openssl/libcrypto3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - apk-tools/apk-tools@2.14.0-r5 - - openssl/libcrypto3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - busybox/ssl_client@1.36.1-r15 - - openssl/libcrypto3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - .redis-rundeps@20240315.235535 - - openssl/libssl3@3.1.4-r5 - - openssl/libcrypto3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - openssl/libssl3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - .redis-rundeps@20240315.235535 - - openssl/libssl3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - apk-tools/apk-tools@2.14.0-r5 - - openssl/libssl3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - busybox/ssl_client@1.36.1-r15 - - openssl/libssl3@3.1.4-r5 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. - See How to fix? for Alpine:3.19 relevant fixed versions and status.

    -

    Issue summary: Some non-default TLS server configurations can cause unbounded - memory growth when processing TLSv1.3 sessions

    -

    Impact summary: An attacker may exploit certain server configurations to trigger - unbounded memory growth that would lead to a Denial of Service

    -

    This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is - being used (but not if early_data support is also configured and the default - anti-replay protection is in use). In this case, under certain conditions, the - session cache can get into an incorrect state and it will fail to flush properly - as it fills. The session cache will continue to grow in an unbounded manner. A - malicious client could deliberately create the scenario for this failure to - force a Denial of Service. It may also happen by accident in normal operation.

    -

    This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS - clients.

    -

    The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL - 1.0.2 is also not affected by this issue.

    -

    Remediation

    -

    Upgrade Alpine:3.19 openssl to version 3.1.4-r6 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    + No known vulnerabilities detected.
    diff --git a/reposerver/repository/repository.go b/reposerver/repository/repository.go index 1527c4b372c27..3fc1070feb1b2 100644 --- a/reposerver/repository/repository.go +++ b/reposerver/repository/repository.go @@ -1000,7 +1000,9 @@ func getHelmRepos(appPath string, repositories []*v1alpha1.Repository, helmRepoC // finally if repo is OCI and no credentials found, use the first OCI credential matching by hostname // see https://github.com/argoproj/argo-cd/issues/14636 for _, cred := range repositories { - if depURL, err := url.Parse("oci://" + dep.Repo); err == nil && cred.EnableOCI && depURL.Host == cred.Repo { + // if the repo is OCI, don't match the repository URL exactly, but only as a dependent repository prefix just like in the getRepoCredential function + // see https://github.com/argoproj/argo-cd/issues/12436 + if _, err := url.Parse("oci://" + dep.Repo); err == nil && cred.EnableOCI && strings.HasPrefix(dep.Repo, cred.Repo) { repo.Username = cred.Username repo.Password = cred.Password break diff --git a/reposerver/repository/repository_test.go b/reposerver/repository/repository_test.go index edd40c630569e..a90d7da41062e 100644 --- a/reposerver/repository/repository_test.go +++ b/reposerver/repository/repository_test.go @@ -3036,9 +3036,9 @@ func Test_populateHelmAppDetails_values_symlinks(t *testing.T) { }) } -func TestGetHelmRepos_OCIDependencies(t *testing.T) { +func TestGetHelmRepos_OCIDependenciesWithHelmRepo(t *testing.T) { src := argoappv1.ApplicationSource{Path: "."} - q := apiclient.ManifestRequest{Repo: &argoappv1.Repository{}, ApplicationSource: &src, HelmRepoCreds: []*argoappv1.RepoCreds{ + q := apiclient.ManifestRequest{Repos: []*argoappv1.Repository{}, ApplicationSource: &src, HelmRepoCreds: []*argoappv1.RepoCreds{ {URL: "example.com", Username: "test", Password: "test", EnableOCI: true}, }} @@ -3051,6 +3051,19 @@ func TestGetHelmRepos_OCIDependencies(t *testing.T) { assert.Equal(t, helmRepos[0].Repo, "example.com/myrepo") } +func TestGetHelmRepos_OCIDependenciesWithRepo(t *testing.T) { + src := argoappv1.ApplicationSource{Path: "."} + q := apiclient.ManifestRequest{Repos: []*argoappv1.Repository{{Repo: "example.com", Username: "test", Password: "test", EnableOCI: true}}, ApplicationSource: &src, HelmRepoCreds: []*argoappv1.RepoCreds{}} + + helmRepos, err := getHelmRepos("./testdata/oci-dependencies", q.Repos, q.HelmRepoCreds) + assert.Nil(t, err) + + assert.Equal(t, len(helmRepos), 1) + assert.Equal(t, helmRepos[0].Username, "test") + assert.Equal(t, helmRepos[0].EnableOci, true) + assert.Equal(t, helmRepos[0].Repo, "example.com/myrepo") +} + func TestGetHelmRepo_NamedRepos(t *testing.T) { src := argoappv1.ApplicationSource{Path: "."} q := apiclient.ManifestRequest{Repo: &argoappv1.Repository{}, ApplicationSource: &src, Repos: []*argoappv1.Repository{{ diff --git a/ui/src/app/app.tsx b/ui/src/app/app.tsx index 67ef504c8a64d..fb52e54e03ddc 100644 --- a/ui/src/app/app.tsx +++ b/ui/src/app/app.tsx @@ -26,7 +26,7 @@ const base = bases.length > 0 ? bases[0].getAttribute('href') || '/' : '/'; export const history = createBrowserHistory({basename: base}); requests.setBaseHRef(base); -type Routes = {[path: string]: {component: React.ComponentType>; noLayout?: boolean; extension?: boolean}}; +type Routes = {[path: string]: {component: React.ComponentType>; noLayout?: boolean}}; const routes: Routes = { '/login': {component: login.component as any, noLayout: true}, @@ -182,8 +182,7 @@ export class App extends React.Component< ); extendedRoutes[extension.path] = { - component: component as React.ComponentType>, - extension: true + component: component as React.ComponentType> }; } @@ -237,11 +236,7 @@ export class App extends React.Component< ) : ( services.viewPreferences.getPreferences()}> {pref => ( - this.setState({showVersionPanel: true})} - navItems={this.navItems} - pref={pref} - isExtension={route.extension}> + this.setState({showVersionPanel: true})} navItems={this.navItems} pref={pref}> diff --git a/ui/src/app/applications/components/application-details/application-resource-list.tsx b/ui/src/app/applications/components/application-details/application-resource-list.tsx index 6fc06abe9a150..2230e31bacea1 100644 --- a/ui/src/app/applications/components/application-details/application-resource-list.tsx +++ b/ui/src/app/applications/components/application-details/application-resource-list.tsx @@ -1,4 +1,4 @@ -import {DropDown} from 'argo-ui'; +import {DropDown, Tooltip} from 'argo-ui'; import * as React from 'react'; import * as classNames from 'classnames'; import * as models from '../../../shared/models'; @@ -70,89 +70,101 @@ export const ApplicationResourceList = (props: ApplicationResourceListProps) =>
    {props.resources .sort((first, second) => -createdOrNodeKey(first).localeCompare(createdOrNodeKey(second))) - .map(res => ( -
    props.onNodeClick && props.onNodeClick(nodeKey(res))}> -
    -
    -
    - -
    -
    {ResourceLabel({kind: res.kind})}
    + .map(res => { + const groupkindjoin = [res.group, res.kind].filter(item => !!item).join('/'); + return ( +
    props.onNodeClick && props.onNodeClick(nodeKey(res))}> +
    +
    +
    + +
    +
    {ResourceLabel({kind: res.kind})}
    +
    -
    -
    - {res.name} - {res.kind === 'Application' && ( - - {ctx => ( - - e.stopPropagation()} - title='Open application'> - - + +
    + {res.name} + {res.kind === 'Application' && ( + + {ctx => ( + + e.stopPropagation()} + title='Open application'> + + + + )} + + )} +
    +     + +
    {groupkindjoin}
    +     + +
    {res.syncWave || '-'}
    +     + +
    {res.namespace}
    +     + {isSameKind && + res.kind === 'ReplicaSet' && + ((nodeByKey.get(nodeKey(res)) as ResourceNode).info || []) + .filter(tag => !tag.name.includes('Node')) + .slice(0, 4) + .map((tag, i) => { + return ( +
    + {tag?.value?.split(':')[1] || '-'} +
    + ); + })} + +
    + {res.createdAt && ( + + + {res.createdAt} + +  ago   {format(new Date(res.createdAt), 'MM/dd/yy')} )} - - )} -
    -
    {[res.group, res.kind].filter(item => !!item).join('/')}
    -
    {res.syncWave || '-'}
    -
    {res.namespace}
    - {isSameKind && - res.kind === 'ReplicaSet' && - ((nodeByKey.get(nodeKey(res)) as ResourceNode).info || []) - .filter(tag => !tag.name.includes('Node')) - .slice(0, 4) - .map((tag, i) => { - return ( -
    - {tag?.value?.split(':')[1] || '-'} -
    - ); - })} - -
    - {res.createdAt && ( - - - {res.createdAt} - -  ago   {format(new Date(res.createdAt), 'MM/dd/yy')} - - )} -
    -
    - {res.health && ( - - {res.health.status}   - - )} - {res.status && } - {res.hook && } - {props.nodeMenu && ( -
    - ( - - )}> - {() => props.nodeMenu(nodeByKey.get(nodeKey(res)))} -
    - )} + +
    + {res.health && ( + + {res.health.status}   + + )} + {res.status && } + {res.hook && } + {props.nodeMenu && ( +
    + ( + + )}> + {() => props.nodeMenu(nodeByKey.get(nodeKey(res)))} + +
    + )} +
    -
    - ))} + ); + })}
    ) diff --git a/ui/src/app/shared/components/layout/layout.scss b/ui/src/app/shared/components/layout/layout.scss index ad01b89e65bf4..5362d894ee473 100644 --- a/ui/src/app/shared/components/layout/layout.scss +++ b/ui/src/app/shared/components/layout/layout.scss @@ -40,14 +40,4 @@ &__content { width: 100%; } - - &--extension { - .cd-layout__content--sb-expanded { - padding-left: $sidebar-width; - } - - .cd-layout__content--sb-collapsed { - padding-left: $collapsed-sidebar-width; - } - } } diff --git a/ui/src/app/shared/components/layout/layout.tsx b/ui/src/app/shared/components/layout/layout.tsx index 096fdde68e99b..e08297cb4e9e6 100644 --- a/ui/src/app/shared/components/layout/layout.tsx +++ b/ui/src/app/shared/components/layout/layout.tsx @@ -9,7 +9,6 @@ export interface LayoutProps { onVersionClick?: () => void; children?: React.ReactNode; pref: ViewPreferences; - isExtension?: boolean; } const getBGColor = (theme: string): string => (theme === 'light' ? '#dee6eb' : '#100f0f'); @@ -23,7 +22,7 @@ export const Layout = (props: LayoutProps) => { return (
    -
    +
    {props.children} diff --git a/util/settings/settings.go b/util/settings/settings.go index 45da68945a59f..7068fda32b741 100644 --- a/util/settings/settings.go +++ b/util/settings/settings.go @@ -171,6 +171,7 @@ func (o *oidcConfig) toExported() *OIDCConfig { LogoutURL: o.LogoutURL, RootCA: o.RootCA, EnablePKCEAuthentication: o.EnablePKCEAuthentication, + DomainHint: o.DomainHint, } } @@ -188,6 +189,7 @@ type OIDCConfig struct { LogoutURL string `json:"logoutURL,omitempty"` RootCA string `json:"rootCA,omitempty"` EnablePKCEAuthentication bool `json:"enablePKCEAuthentication,omitempty"` + DomainHint string `json:"domainHint,omitempty"` } // DEPRECATED. Helm repository credentials are now managed using RepoCredentials