From 210f26ae8343fd9d49d2a753e6879d218b5e49b0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Nov=C3=A1k?= Date: Fri, 17 May 2024 21:41:23 +0200 Subject: [PATCH 1/7] fix(reposerver): fix OCI repository matching (#17955) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Tomáš Novák --- USERS.md | 1 + reposerver/repository/repository.go | 4 +++- reposerver/repository/repository_test.go | 17 +++++++++++++++-- 3 files changed, 19 insertions(+), 3 deletions(-) diff --git a/USERS.md b/USERS.md index 14cb981665f0..32f665c6e9bb 100644 --- a/USERS.md +++ b/USERS.md @@ -44,6 +44,7 @@ Currently, the following organizations are **officially** using Argo CD: 1. [BMW Group](https://www.bmwgroup.com/) 1. [Boozt](https://www.booztgroup.com/) 1. [Boticario](https://www.boticario.com.br/) +1. [Broker Consulting, a.s.](https://www.bcas.cz/en/) 1. [Bulder Bank](https://bulderbank.no) 1. [CAM](https://cam-inc.co.jp) 1. [Camptocamp](https://camptocamp.com) diff --git a/reposerver/repository/repository.go b/reposerver/repository/repository.go index 1527c4b372c2..3fc1070feb1b 100644 --- a/reposerver/repository/repository.go +++ b/reposerver/repository/repository.go @@ -1000,7 +1000,9 @@ func getHelmRepos(appPath string, repositories []*v1alpha1.Repository, helmRepoC // finally if repo is OCI and no credentials found, use the first OCI credential matching by hostname // see https://github.com/argoproj/argo-cd/issues/14636 for _, cred := range repositories { - if depURL, err := url.Parse("oci://" + dep.Repo); err == nil && cred.EnableOCI && depURL.Host == cred.Repo { + // if the repo is OCI, don't match the repository URL exactly, but only as a dependent repository prefix just like in the getRepoCredential function + // see https://github.com/argoproj/argo-cd/issues/12436 + if _, err := url.Parse("oci://" + dep.Repo); err == nil && cred.EnableOCI && strings.HasPrefix(dep.Repo, cred.Repo) { repo.Username = cred.Username repo.Password = cred.Password break diff --git a/reposerver/repository/repository_test.go b/reposerver/repository/repository_test.go index edd40c630569..a90d7da41062 100644 --- a/reposerver/repository/repository_test.go +++ b/reposerver/repository/repository_test.go @@ -3036,9 +3036,9 @@ func Test_populateHelmAppDetails_values_symlinks(t *testing.T) { }) } -func TestGetHelmRepos_OCIDependencies(t *testing.T) { +func TestGetHelmRepos_OCIDependenciesWithHelmRepo(t *testing.T) { src := argoappv1.ApplicationSource{Path: "."} - q := apiclient.ManifestRequest{Repo: &argoappv1.Repository{}, ApplicationSource: &src, HelmRepoCreds: []*argoappv1.RepoCreds{ + q := apiclient.ManifestRequest{Repos: []*argoappv1.Repository{}, ApplicationSource: &src, HelmRepoCreds: []*argoappv1.RepoCreds{ {URL: "example.com", Username: "test", Password: "test", EnableOCI: true}, }} @@ -3051,6 +3051,19 @@ func TestGetHelmRepos_OCIDependencies(t *testing.T) { assert.Equal(t, helmRepos[0].Repo, "example.com/myrepo") } +func TestGetHelmRepos_OCIDependenciesWithRepo(t *testing.T) { + src := argoappv1.ApplicationSource{Path: "."} + q := apiclient.ManifestRequest{Repos: []*argoappv1.Repository{{Repo: "example.com", Username: "test", Password: "test", EnableOCI: true}}, ApplicationSource: &src, HelmRepoCreds: []*argoappv1.RepoCreds{}} + + helmRepos, err := getHelmRepos("./testdata/oci-dependencies", q.Repos, q.HelmRepoCreds) + assert.Nil(t, err) + + assert.Equal(t, len(helmRepos), 1) + assert.Equal(t, helmRepos[0].Username, "test") + assert.Equal(t, helmRepos[0].EnableOci, true) + assert.Equal(t, helmRepos[0].Repo, "example.com/myrepo") +} + func TestGetHelmRepo_NamedRepos(t *testing.T) { src := argoappv1.ApplicationSource{Path: "."} q := apiclient.ManifestRequest{Repo: &argoappv1.Repository{}, ApplicationSource: &src, Repos: []*argoappv1.Repository{{ From 8cf3e05fd44d455575615d558e17be95b54d9faf Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Sun, 19 May 2024 18:54:12 +0300 Subject: [PATCH 2/7] [Bot] docs: Update Snyk reports (#18276) --- docs/snyk/index.md | 18 +- docs/snyk/master/argocd-iac-install.html | 2 +- .../master/argocd-iac-namespace-install.html | 2 +- docs/snyk/master/argocd-test.html | 72 +- .../master/ghcr.io_dexidp_dex_v2.38.0.html | 2 +- docs/snyk/master/haproxy_2.6.14-alpine.html | 2 +- .../quay.io_argoproj_argocd_latest.html | 1065 +++++----- docs/snyk/master/redis_7.0.15-alpine.html | 185 +- docs/snyk/v2.10.9/argocd-iac-install.html | 2 +- .../v2.10.9/argocd-iac-namespace-install.html | 2 +- docs/snyk/v2.10.9/argocd-test.html | 2 +- .../v2.10.9/ghcr.io_dexidp_dex_v2.37.0.html | 2 +- docs/snyk/v2.10.9/haproxy_2.6.14-alpine.html | 2 +- .../quay.io_argoproj_argocd_v2.10.9.html | 1809 ++++++++-------- docs/snyk/v2.10.9/redis_7.0.15-alpine.html | 185 +- docs/snyk/v2.11.0-rc3/argocd-iac-install.html | 2 +- .../argocd-iac-namespace-install.html | 2 +- docs/snyk/v2.11.0-rc3/argocd-test.html | 2 +- .../ghcr.io_dexidp_dex_v2.38.0.html | 2 +- .../v2.11.0-rc3/haproxy_2.6.14-alpine.html | 2 +- .../quay.io_argoproj_argocd_v2.11.0-rc3.html | 1507 +++++++------- .../snyk/v2.11.0-rc3/redis_7.0.14-alpine.html | 2 +- docs/snyk/v2.8.18/argocd-iac-install.html | 2 +- .../v2.8.18/argocd-iac-namespace-install.html | 2 +- docs/snyk/v2.8.18/argocd-test.html | 2 +- .../v2.8.18/ghcr.io_dexidp_dex_v2.37.0.html | 2 +- docs/snyk/v2.8.18/haproxy_2.6.14-alpine.html | 2 +- .../quay.io_argoproj_argocd_v2.8.18.html | 1825 +++++++++-------- docs/snyk/v2.8.18/redis_7.0.15-alpine.html | 185 +- docs/snyk/v2.9.14/argocd-iac-install.html | 2 +- .../v2.9.14/argocd-iac-namespace-install.html | 2 +- docs/snyk/v2.9.14/argocd-test.html | 2 +- .../v2.9.14/ghcr.io_dexidp_dex_v2.37.0.html | 2 +- docs/snyk/v2.9.14/haproxy_2.6.14-alpine.html | 2 +- .../quay.io_argoproj_argocd_v2.9.14.html | 1809 ++++++++-------- docs/snyk/v2.9.14/redis_7.0.15-alpine.html | 185 +- 36 files changed, 4105 insertions(+), 4790 deletions(-) diff --git a/docs/snyk/index.md b/docs/snyk/index.md index fb6b4e3ec5b2..59083b0522e4 100644 --- a/docs/snyk/index.md +++ b/docs/snyk/index.md @@ -17,8 +17,8 @@ recent minor releases. | [ui/yarn.lock](master/argocd-test.html) | 0 | 0 | 1 | 0 | | [dex:v2.38.0](master/ghcr.io_dexidp_dex_v2.38.0.html) | 0 | 0 | 2 | 2 | | [haproxy:2.6.14-alpine](master/haproxy_2.6.14-alpine.html) | 0 | 1 | 3 | 2 | -| [argocd:latest](master/quay.io_argoproj_argocd_latest.html) | 0 | 0 | 5 | 7 | -| [redis:7.0.15-alpine](master/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 1 | +| [argocd:latest](master/quay.io_argoproj_argocd_latest.html) | 0 | 0 | 3 | 9 | +| [redis:7.0.15-alpine](master/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 0 | | [install.yaml](master/argocd-iac-install.html) | - | - | - | - | | [namespace-install.yaml](master/argocd-iac-namespace-install.html) | - | - | - | - | @@ -30,7 +30,7 @@ recent minor releases. | [ui/yarn.lock](v2.11.0-rc3/argocd-test.html) | 0 | 0 | 1 | 0 | | [dex:v2.38.0](v2.11.0-rc3/ghcr.io_dexidp_dex_v2.38.0.html) | 0 | 0 | 2 | 2 | | [haproxy:2.6.14-alpine](v2.11.0-rc3/haproxy_2.6.14-alpine.html) | 0 | 1 | 3 | 2 | -| [argocd:v2.11.0-rc3](v2.11.0-rc3/quay.io_argoproj_argocd_v2.11.0-rc3.html) | 0 | 0 | 5 | 14 | +| [argocd:v2.11.0-rc3](v2.11.0-rc3/quay.io_argoproj_argocd_v2.11.0-rc3.html) | 0 | 0 | 3 | 16 | | [redis:7.0.14-alpine](v2.11.0-rc3/redis_7.0.14-alpine.html) | 0 | 0 | 2 | 2 | | [install.yaml](v2.11.0-rc3/argocd-iac-install.html) | - | - | - | - | | [namespace-install.yaml](v2.11.0-rc3/argocd-iac-namespace-install.html) | - | - | - | - | @@ -43,8 +43,8 @@ recent minor releases. | [ui/yarn.lock](v2.10.9/argocd-test.html) | 0 | 0 | 1 | 0 | | [dex:v2.37.0](v2.10.9/ghcr.io_dexidp_dex_v2.37.0.html) | 1 | 1 | 6 | 2 | | [haproxy:2.6.14-alpine](v2.10.9/haproxy_2.6.14-alpine.html) | 0 | 1 | 3 | 2 | -| [argocd:v2.10.9](v2.10.9/quay.io_argoproj_argocd_v2.10.9.html) | 0 | 0 | 5 | 14 | -| [redis:7.0.15-alpine](v2.10.9/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 1 | +| [argocd:v2.10.9](v2.10.9/quay.io_argoproj_argocd_v2.10.9.html) | 0 | 0 | 3 | 16 | +| [redis:7.0.15-alpine](v2.10.9/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 0 | | [install.yaml](v2.10.9/argocd-iac-install.html) | - | - | - | - | | [namespace-install.yaml](v2.10.9/argocd-iac-namespace-install.html) | - | - | - | - | @@ -56,8 +56,8 @@ recent minor releases. | [ui/yarn.lock](v2.9.14/argocd-test.html) | 0 | 0 | 1 | 0 | | [dex:v2.37.0](v2.9.14/ghcr.io_dexidp_dex_v2.37.0.html) | 1 | 1 | 6 | 2 | | [haproxy:2.6.14-alpine](v2.9.14/haproxy_2.6.14-alpine.html) | 0 | 1 | 3 | 2 | -| [argocd:v2.9.14](v2.9.14/quay.io_argoproj_argocd_v2.9.14.html) | 0 | 0 | 5 | 14 | -| [redis:7.0.15-alpine](v2.9.14/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 1 | +| [argocd:v2.9.14](v2.9.14/quay.io_argoproj_argocd_v2.9.14.html) | 0 | 0 | 3 | 16 | +| [redis:7.0.15-alpine](v2.9.14/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 0 | | [install.yaml](v2.9.14/argocd-iac-install.html) | - | - | - | - | | [namespace-install.yaml](v2.9.14/argocd-iac-namespace-install.html) | - | - | - | - | @@ -69,7 +69,7 @@ recent minor releases. | [ui/yarn.lock](v2.8.18/argocd-test.html) | 0 | 0 | 1 | 0 | | [dex:v2.37.0](v2.8.18/ghcr.io_dexidp_dex_v2.37.0.html) | 1 | 1 | 6 | 2 | | [haproxy:2.6.14-alpine](v2.8.18/haproxy_2.6.14-alpine.html) | 0 | 1 | 3 | 2 | -| [argocd:v2.8.18](v2.8.18/quay.io_argoproj_argocd_v2.8.18.html) | 0 | 0 | 5 | 14 | -| [redis:7.0.15-alpine](v2.8.18/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 1 | +| [argocd:v2.8.18](v2.8.18/quay.io_argoproj_argocd_v2.8.18.html) | 0 | 0 | 3 | 16 | +| [redis:7.0.15-alpine](v2.8.18/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 0 | | [install.yaml](v2.8.18/argocd-iac-install.html) | - | - | - | - | | [namespace-install.yaml](v2.8.18/argocd-iac-namespace-install.html) | - | - | - | - | diff --git a/docs/snyk/master/argocd-iac-install.html b/docs/snyk/master/argocd-iac-install.html index 0e4f29472e9b..a9ce30ee9a43 100644 --- a/docs/snyk/master/argocd-iac-install.html +++ b/docs/snyk/master/argocd-iac-install.html @@ -456,7 +456,7 @@

Snyk test report

-

May 12th 2024, 12:17:58 am (UTC+00:00)

+

May 19th 2024, 12:17:37 am (UTC+00:00)

Scanned the following path: diff --git a/docs/snyk/master/argocd-iac-namespace-install.html b/docs/snyk/master/argocd-iac-namespace-install.html index ef78e6b3f1a9..2ecbdd43953e 100644 --- a/docs/snyk/master/argocd-iac-namespace-install.html +++ b/docs/snyk/master/argocd-iac-namespace-install.html @@ -456,7 +456,7 @@

Snyk test report

-

May 12th 2024, 12:18:08 am (UTC+00:00)

+

May 19th 2024, 12:17:48 am (UTC+00:00)

Scanned the following path: diff --git a/docs/snyk/master/argocd-test.html b/docs/snyk/master/argocd-test.html index 52f41d2b0c43..692c13155cf6 100644 --- a/docs/snyk/master/argocd-test.html +++ b/docs/snyk/master/argocd-test.html @@ -456,7 +456,7 @@

Snyk test report

-

May 12th 2024, 12:16:01 am (UTC+00:00)

+

May 19th 2024, 12:15:42 am (UTC+00:00)

Scanned the following paths: @@ -469,7 +469,7 @@

Snyk test report

8 known vulnerabilities
164 vulnerable dependency paths
-
2060 dependencies
+
2056 dependencies
@@ -1115,7 +1115,7 @@

Detailed paths

Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 - github.com/argoproj/gitops-engine/pkg/sync/common@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/sync/common@#8a3ce6d85caa k8s.io/apimachinery/pkg/apis/meta/v1@0.29.2 @@ -1319,7 +1319,7 @@

Detailed paths

Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 - github.com/argoproj/gitops-engine/pkg/cache@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/cache@#8a3ce6d85caa k8s.io/kubectl/pkg/util/openapi@0.29.2 @@ -1336,7 +1336,7 @@

Detailed paths

Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 - github.com/argoproj/gitops-engine/pkg/sync@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/sync@#8a3ce6d85caa k8s.io/kubectl/pkg/util/openapi@0.29.2 @@ -1353,7 +1353,7 @@

Detailed paths

Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 - github.com/argoproj/gitops-engine/pkg/utils/kube@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/utils/kube@#8a3ce6d85caa k8s.io/kubectl/pkg/util/openapi@0.29.2 @@ -1527,7 +1527,7 @@

Detailed paths

Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 - github.com/argoproj/gitops-engine/pkg/sync/ignore@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/sync/ignore@#8a3ce6d85caa k8s.io/apimachinery/pkg/apis/meta/v1/unstructured@0.29.2 @@ -1546,7 +1546,7 @@

Detailed paths

Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 - github.com/argoproj/gitops-engine/pkg/sync/syncwaves@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/sync/syncwaves@#8a3ce6d85caa k8s.io/apimachinery/pkg/apis/meta/v1/unstructured@0.29.2 @@ -1565,7 +1565,7 @@

Detailed paths

Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 - github.com/argoproj/gitops-engine/pkg/utils/testing@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/utils/testing@#8a3ce6d85caa k8s.io/apimachinery/pkg/apis/meta/v1/unstructured@0.29.2 @@ -1660,7 +1660,7 @@

Detailed paths

Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 - github.com/argoproj/gitops-engine/pkg/health@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/health@#8a3ce6d85caa k8s.io/apimachinery/pkg/apis/meta/v1/unstructured@0.29.2 @@ -1850,9 +1850,9 @@

Detailed paths

Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 - github.com/argoproj/gitops-engine/pkg/health@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/health@#8a3ce6d85caa - github.com/argoproj/gitops-engine/pkg/utils/kube@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/utils/kube@#8a3ce6d85caa k8s.io/kubectl/pkg/util/openapi@0.29.2 @@ -1869,9 +1869,9 @@

Detailed paths

Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 - github.com/argoproj/gitops-engine/pkg/sync/common@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/sync/common@#8a3ce6d85caa - github.com/argoproj/gitops-engine/pkg/utils/kube@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/utils/kube@#8a3ce6d85caa k8s.io/kubectl/pkg/util/openapi@0.29.2 @@ -2021,7 +2021,7 @@

Detailed paths

Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 - github.com/argoproj/gitops-engine/pkg/diff@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/diff@#8a3ce6d85caa k8s.io/apimachinery/pkg/util/strategicpatch@0.29.2 @@ -2126,11 +2126,11 @@

Detailed paths

Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 - github.com/argoproj/gitops-engine/pkg/sync/hook@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/sync/hook@#8a3ce6d85caa - github.com/argoproj/gitops-engine/pkg/sync/hook/helm@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/sync/hook/helm@#8a3ce6d85caa - github.com/argoproj/gitops-engine/pkg/sync/common@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/sync/common@#8a3ce6d85caa k8s.io/apimachinery/pkg/apis/meta/v1@0.29.2 @@ -2516,13 +2516,13 @@

Detailed paths

Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 - github.com/argoproj/gitops-engine/pkg/sync/hook@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/sync/hook@#8a3ce6d85caa - github.com/argoproj/gitops-engine/pkg/sync/hook/helm@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/sync/hook/helm@#8a3ce6d85caa - github.com/argoproj/gitops-engine/pkg/sync/common@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/sync/common@#8a3ce6d85caa - github.com/argoproj/gitops-engine/pkg/utils/kube@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/utils/kube@#8a3ce6d85caa k8s.io/kubectl/pkg/util/openapi@0.29.2 @@ -2539,13 +2539,13 @@

Detailed paths

Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 - github.com/argoproj/gitops-engine/pkg/sync/syncwaves@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/sync/syncwaves@#8a3ce6d85caa - github.com/argoproj/gitops-engine/pkg/sync/hook/helm@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/sync/hook/helm@#8a3ce6d85caa - github.com/argoproj/gitops-engine/pkg/sync/common@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/sync/common@#8a3ce6d85caa - github.com/argoproj/gitops-engine/pkg/utils/kube@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/utils/kube@#8a3ce6d85caa k8s.io/kubectl/pkg/util/openapi@0.29.2 @@ -2562,7 +2562,7 @@

Detailed paths

Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 - github.com/argoproj/gitops-engine/pkg/diff@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/diff@#8a3ce6d85caa k8s.io/kubectl/pkg/cmd/util@0.29.2 @@ -2825,7 +2825,7 @@

Detailed paths

Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 - github.com/argoproj/gitops-engine/pkg/utils/kube/scheme@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/utils/kube/scheme@#8a3ce6d85caa k8s.io/kubernetes/pkg/apis/storage/install@1.29.2 @@ -2900,15 +2900,15 @@

Detailed paths

Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 - github.com/argoproj/gitops-engine/pkg/sync/ignore@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/sync/ignore@#8a3ce6d85caa - github.com/argoproj/gitops-engine/pkg/sync/hook@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/sync/hook@#8a3ce6d85caa - github.com/argoproj/gitops-engine/pkg/sync/hook/helm@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/sync/hook/helm@#8a3ce6d85caa - github.com/argoproj/gitops-engine/pkg/sync/common@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/sync/common@#8a3ce6d85caa - github.com/argoproj/gitops-engine/pkg/utils/kube@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/utils/kube@#8a3ce6d85caa k8s.io/kubectl/pkg/util/openapi@0.29.2 @@ -2950,7 +2950,7 @@

Detailed paths

Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 - github.com/argoproj/gitops-engine/pkg/cache@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/cache@#8a3ce6d85caa k8s.io/kubectl/pkg/util/openapi@0.29.2 @@ -2977,7 +2977,7 @@

Detailed paths

Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 - github.com/argoproj/gitops-engine/pkg/sync@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/sync@#8a3ce6d85caa k8s.io/kubectl/pkg/util/openapi@0.29.2 @@ -3004,7 +3004,7 @@

Detailed paths

Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 - github.com/argoproj/gitops-engine/pkg/utils/kube@#0aecd4390353 + github.com/argoproj/gitops-engine/pkg/utils/kube@#8a3ce6d85caa k8s.io/kubectl/pkg/util/openapi@0.29.2 diff --git a/docs/snyk/master/ghcr.io_dexidp_dex_v2.38.0.html b/docs/snyk/master/ghcr.io_dexidp_dex_v2.38.0.html index d1448b086943..9a0c6f958ce7 100644 --- a/docs/snyk/master/ghcr.io_dexidp_dex_v2.38.0.html +++ b/docs/snyk/master/ghcr.io_dexidp_dex_v2.38.0.html @@ -456,7 +456,7 @@

Snyk test report

-

May 12th 2024, 12:16:11 am (UTC+00:00)

+

May 19th 2024, 12:15:50 am (UTC+00:00)

Scanned the following paths: diff --git a/docs/snyk/master/haproxy_2.6.14-alpine.html b/docs/snyk/master/haproxy_2.6.14-alpine.html index c88335a9558c..0505efdb9294 100644 --- a/docs/snyk/master/haproxy_2.6.14-alpine.html +++ b/docs/snyk/master/haproxy_2.6.14-alpine.html @@ -456,7 +456,7 @@

Snyk test report

-

May 12th 2024, 12:16:18 am (UTC+00:00)

+

May 19th 2024, 12:15:57 am (UTC+00:00)

Scanned the following path: diff --git a/docs/snyk/master/quay.io_argoproj_argocd_latest.html b/docs/snyk/master/quay.io_argoproj_argocd_latest.html index d7453ed035a1..09f43acec0de 100644 --- a/docs/snyk/master/quay.io_argoproj_argocd_latest.html +++ b/docs/snyk/master/quay.io_argoproj_argocd_latest.html @@ -456,7 +456,7 @@

Snyk test report

-

May 12th 2024, 12:16:34 am (UTC+00:00)

+

May 19th 2024, 12:16:15 am (UTC+00:00)

Scanned the following paths: @@ -472,7 +472,7 @@

Snyk test report

20 known vulnerabilities
80 vulnerable dependency paths
-
2285 dependencies
+
2287 dependencies
@@ -845,7 +845,7 @@

References

-

CVE-2024-26458

+

CVE-2024-26462

@@ -1035,24 +1035,25 @@

Detailed paths

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

-

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.

+

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.

Remediation

There is no fixed version for Ubuntu:24.04 krb5.

References

-

More about this vulnerability

+

More about this vulnerability

-

CVE-2024-26462

+

LGPL-3.0 license

@@ -1063,21 +1064,21 @@

CVE-2024-26462

  • - Manifest file: quay.io/argoproj/argocd:latest/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:latest/argoproj/argo-cd/v2 /usr/local/bin/argocd
  • - Package Manager: ubuntu:24.04 + Package Manager: golang
  • - Vulnerable module: + Module: - krb5/libk5crypto3 + gopkg.in/retry.v1
  • Introduced through: + github.com/argoproj/argo-cd/v2@* and gopkg.in/retry.v1@v1.0.3 - docker-image|quay.io/argoproj/argocd@latest, git@1:2.43.0-1ubuntu7 and others
@@ -1089,146 +1090,69 @@

Detailed paths

  • Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - git@1:2.43.0-1ubuntu7 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 - - krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 + github.com/argoproj/argo-cd/v2@* - krb5/libk5crypto3@1.20.1-6ubuntu2 + gopkg.in/retry.v1@v1.0.3
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - git@1:2.43.0-1ubuntu7 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 - - krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 - - krb5/libkrb5-3@1.20.1-6ubuntu2 - - krb5/libk5crypto3@1.20.1-6ubuntu2 - - +
- -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - git@1:2.43.0-1ubuntu7 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 - - krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 - - krb5/libkrb5support0@1.20.1-6ubuntu2 - - +
    • - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - git@1:2.43.0-1ubuntu7 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 - - krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 - - krb5/libkrb5-3@1.20.1-6ubuntu2 - - krb5/libkrb5support0@1.20.1-6ubuntu2 - - +
    + +

    LGPL-3.0 license

    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - git@1:2.43.0-1ubuntu7 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 - - krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 - - krb5/libkrb5-3@1.20.1-6ubuntu2 - - krb5/libk5crypto3@1.20.1-6ubuntu2 - - krb5/libkrb5support0@1.20.1-6ubuntu2 - - +
    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - git@1:2.43.0-1ubuntu7 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 - - krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 - - krb5/libkrb5-3@1.20.1-6ubuntu2 - - +
    +

    More about this vulnerability

    +
    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - openssh/openssh-client@1:9.6p1-3ubuntu13 - - krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 - - +
    • +
    +

    MPL-2.0 license

    +
    - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - git@1:2.43.0-1ubuntu7 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 - - krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 - - +
    + medium severity +
    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - git@1:2.43.0-1ubuntu7 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 - - libssh/libssh-4@0.10.6-2build2 - - krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 - - +
    -
    • +
      +
    • + Manifest file: quay.io/argoproj/argocd:latest/argoproj/argo-cd/v2 /usr/local/bin/argocd +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/r3labs/diff +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v2@* and github.com/r3labs/diff@v1.1.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
    -

    CVE-2024-26461

    +

    MPL-2.0 license

    @@ -1270,21 +1184,21 @@

    CVE-2024-26461

    • - Manifest file: quay.io/argoproj/argocd:latest/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:latest/argoproj/argo-cd/v2 /usr/local/bin/argocd
    • - Package Manager: ubuntu:24.04 + Package Manager: golang
    • - Vulnerable module: + Module: - krb5/libk5crypto3 + github.com/hashicorp/go-version
    • Introduced through: + github.com/argoproj/argo-cd/v2@* and github.com/hashicorp/go-version@v1.6.0 - docker-image|quay.io/argoproj/argocd@latest, git@1:2.43.0-1ubuntu7 and others
    @@ -1296,177 +1210,30 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - git@1:2.43.0-1ubuntu7 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 - - krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 + github.com/argoproj/argo-cd/v2@* - krb5/libk5crypto3@1.20.1-6ubuntu2 + github.com/hashicorp/go-version@v1.6.0
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - git@1:2.43.0-1ubuntu7 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 - - krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 - - krb5/libkrb5-3@1.20.1-6ubuntu2 - - krb5/libk5crypto3@1.20.1-6ubuntu2 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - git@1:2.43.0-1ubuntu7 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 - - krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 - - krb5/libkrb5support0@1.20.1-6ubuntu2 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - git@1:2.43.0-1ubuntu7 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 - - krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 - - krb5/libkrb5-3@1.20.1-6ubuntu2 - - krb5/libkrb5support0@1.20.1-6ubuntu2 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - git@1:2.43.0-1ubuntu7 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 - - krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 - - krb5/libkrb5-3@1.20.1-6ubuntu2 - - krb5/libk5crypto3@1.20.1-6ubuntu2 - - krb5/libkrb5support0@1.20.1-6ubuntu2 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - git@1:2.43.0-1ubuntu7 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 - - krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 - - krb5/libkrb5-3@1.20.1-6ubuntu2 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - openssh/openssh-client@1:9.6p1-3ubuntu13 - - krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - git@1:2.43.0-1ubuntu7 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 - - krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - git@1:2.43.0-1ubuntu7 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 - - libssh/libssh-4@0.10.6-2build2 - - krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - krb5/krb5-locales@1.20.1-6ubuntu2 - - - -
      • -
    +
    -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    -

    Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:24.04 krb5.

    -

    References

    - +

    MPL-2.0 license

    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    LGPL-3.0 license

    +

    MPL-2.0 license

    @@ -1485,12 +1252,12 @@

    LGPL-3.0 license

  • Module: - gopkg.in/retry.v1 + github.com/hashicorp/go-retryablehttp
  • Introduced through: - github.com/argoproj/argo-cd/v2@* and gopkg.in/retry.v1@v1.0.3 + github.com/argoproj/argo-cd/v2@* and github.com/hashicorp/go-retryablehttp@v0.7.4
    • @@ -1505,7 +1272,7 @@

    Detailed paths

    Introduced through: github.com/argoproj/argo-cd/v2@* - gopkg.in/retry.v1@v1.0.3 + github.com/hashicorp/go-retryablehttp@v0.7.4 @@ -1516,12 +1283,12 @@

    Detailed paths

    -

    LGPL-3.0 license

    +

    MPL-2.0 license

    -

    More about this vulnerability

    +

    More about this vulnerability

    @@ -1537,7 +1304,7 @@

    MPL-2.0 license

    • - Manifest file: quay.io/argoproj/argocd:latest/argoproj/argo-cd/v2 /usr/local/bin/argocd + Manifest file: quay.io/argoproj/argocd:latest/helm/v3 /usr/local/bin/helm
    • Package Manager: golang @@ -1545,12 +1312,12 @@

      MPL-2.0 license

    • Module: - github.com/r3labs/diff + github.com/hashicorp/go-multierror
    • Introduced through: - github.com/argoproj/argo-cd/v2@* and github.com/r3labs/diff@v1.1.0 + helm.sh/helm/v3@* and github.com/hashicorp/go-multierror@v1.1.1
    @@ -1563,9 +1330,9 @@

    Detailed paths

    @@ -1605,12 +1372,12 @@

    MPL-2.0 license

  • Module: - github.com/hashicorp/go-version + github.com/hashicorp/go-cleanhttp
  • Introduced through: - github.com/argoproj/argo-cd/v2@* and github.com/hashicorp/go-version@v1.6.0 + github.com/argoproj/argo-cd/v2@* and github.com/hashicorp/go-cleanhttp@v0.5.2
    • @@ -1625,7 +1392,7 @@

    Detailed paths

    Introduced through: github.com/argoproj/argo-cd/v2@* - github.com/hashicorp/go-version@v1.6.0 + github.com/hashicorp/go-cleanhttp@v0.5.2 @@ -1641,7 +1408,7 @@

    Detailed paths

    -

    More about this vulnerability

    +

    More about this vulnerability

    @@ -1665,12 +1432,12 @@

    MPL-2.0 license

  • Module: - github.com/hashicorp/go-retryablehttp + github.com/gosimple/slug
  • Introduced through: - github.com/argoproj/argo-cd/v2@* and github.com/hashicorp/go-retryablehttp@v0.7.4 + github.com/argoproj/argo-cd/v2@* and github.com/gosimple/slug@v1.13.1
    • @@ -1685,7 +1452,7 @@

    Detailed paths

    Introduced through: github.com/argoproj/argo-cd/v2@* - github.com/hashicorp/go-retryablehttp@v0.7.4 + github.com/gosimple/slug@v1.13.1 @@ -1701,36 +1468,36 @@

    Detailed paths

    -

    More about this vulnerability

    +

    More about this vulnerability

    -
    -

    MPL-2.0 license

    +
    +

    CVE-2023-7008

    -
    - medium severity +
    + low severity
    • - Manifest file: quay.io/argoproj/argocd:latest/helm/v3 /usr/local/bin/helm + Manifest file: quay.io/argoproj/argocd:latest/argoproj/argocd Dockerfile
    • - Package Manager: golang + Package Manager: ubuntu:24.04
    • - Module: + Vulnerable module: - github.com/hashicorp/go-multierror + systemd/libsystemd0
    • Introduced through: - helm.sh/helm/v3@* and github.com/hashicorp/go-multierror@v1.1.1 + docker-image|quay.io/argoproj/argocd@latest and systemd/libsystemd0@255.4-1ubuntu8
    @@ -1743,213 +1510,33 @@

    Detailed paths

    • Introduced through: - helm.sh/helm/v3@* + docker-image|quay.io/argoproj/argocd@latest - github.com/hashicorp/go-multierror@v1.1.1 + systemd/libsystemd0@255.4-1ubuntu8
      • -
    - -
    - -
    - -

    MPL-2.0 license

    - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    MPL-2.0 license

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:latest/argoproj/argo-cd/v2 /usr/local/bin/argocd -
      • -
    • - Package Manager: golang -
      • -
    • - Module: - - github.com/hashicorp/go-cleanhttp -
      • - -
    • Introduced through: - - github.com/argoproj/argo-cd/v2@* and github.com/hashicorp/go-cleanhttp@v0.5.2 - -
      • -
    - -
    - - -

    Detailed paths

    - -
    • Introduced through: - github.com/argoproj/argo-cd/v2@* + docker-image|quay.io/argoproj/argocd@latest - github.com/hashicorp/go-cleanhttp@v0.5.2 + apt@2.7.14build2 + + systemd/libsystemd0@255.4-1ubuntu8
      • -
    - -
    - -
    - -

    MPL-2.0 license

    - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    MPL-2.0 license

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:latest/argoproj/argo-cd/v2 /usr/local/bin/argocd -
      • -
    • - Package Manager: golang -
      • -
    • - Module: - - github.com/gosimple/slug -
      • - -
    • Introduced through: - - github.com/argoproj/argo-cd/v2@* and github.com/gosimple/slug@v1.13.1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/argoproj/argo-cd/v2@* - - github.com/gosimple/slug@v1.13.1 - - - -
      • -
    - -
    - -
    - -

    MPL-2.0 license

    - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2023-7008

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:latest/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:24.04 -
      • -
    • - Vulnerable module: - - systemd/libsystemd0 -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@latest and systemd/libsystemd0@255.4-1ubuntu8 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - systemd/libsystemd0@255.4-1ubuntu8 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - apt@2.7.14build2 - - systemd/libsystemd0@255.4-1ubuntu8 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - procps/libproc2-0@2:4.0.4-4ubuntu3 - - systemd/libsystemd0@255.4-1ubuntu8 - - +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + procps/libproc2-0@2:4.0.4-4ubuntu3 + + systemd/libsystemd0@255.4-1ubuntu8 + +
    • @@ -2253,6 +1840,422 @@

      References

      More about this vulnerability

    +
    +
    +

    CVE-2024-26458

    +
    + +
    + low severity +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:latest/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:24.04 +
      • +
    • + Vulnerable module: + + krb5/libk5crypto3 +
      • + +
    • Introduced through: + + + docker-image|quay.io/argoproj/argocd@latest, git@1:2.43.0-1ubuntu7 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + git@1:2.43.0-1ubuntu7 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 + + krb5/libk5crypto3@1.20.1-6ubuntu2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + git@1:2.43.0-1ubuntu7 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 + + krb5/libkrb5-3@1.20.1-6ubuntu2 + + krb5/libk5crypto3@1.20.1-6ubuntu2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + git@1:2.43.0-1ubuntu7 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 + + krb5/libkrb5support0@1.20.1-6ubuntu2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + git@1:2.43.0-1ubuntu7 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 + + krb5/libkrb5-3@1.20.1-6ubuntu2 + + krb5/libkrb5support0@1.20.1-6ubuntu2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + git@1:2.43.0-1ubuntu7 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 + + krb5/libkrb5-3@1.20.1-6ubuntu2 + + krb5/libk5crypto3@1.20.1-6ubuntu2 + + krb5/libkrb5support0@1.20.1-6ubuntu2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + git@1:2.43.0-1ubuntu7 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 + + krb5/libkrb5-3@1.20.1-6ubuntu2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + openssh/openssh-client@1:9.6p1-3ubuntu13 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + git@1:2.43.0-1ubuntu7 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + git@1:2.43.0-1ubuntu7 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 + + libssh/libssh-4@0.10.6-2build2 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + krb5/krb5-locales@1.20.1-6ubuntu2 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    +

    Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:24.04 krb5.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2024-26461

    +
    + +
    + low severity +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:latest/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:24.04 +
      • +
    • + Vulnerable module: + + krb5/libk5crypto3 +
      • + +
    • Introduced through: + + + docker-image|quay.io/argoproj/argocd@latest, git@1:2.43.0-1ubuntu7 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + git@1:2.43.0-1ubuntu7 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 + + krb5/libk5crypto3@1.20.1-6ubuntu2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + git@1:2.43.0-1ubuntu7 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 + + krb5/libkrb5-3@1.20.1-6ubuntu2 + + krb5/libk5crypto3@1.20.1-6ubuntu2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + git@1:2.43.0-1ubuntu7 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 + + krb5/libkrb5support0@1.20.1-6ubuntu2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + git@1:2.43.0-1ubuntu7 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 + + krb5/libkrb5-3@1.20.1-6ubuntu2 + + krb5/libkrb5support0@1.20.1-6ubuntu2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + git@1:2.43.0-1ubuntu7 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 + + krb5/libkrb5-3@1.20.1-6ubuntu2 + + krb5/libk5crypto3@1.20.1-6ubuntu2 + + krb5/libkrb5support0@1.20.1-6ubuntu2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + git@1:2.43.0-1ubuntu7 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 + + krb5/libkrb5-3@1.20.1-6ubuntu2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + openssh/openssh-client@1:9.6p1-3ubuntu13 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + git@1:2.43.0-1ubuntu7 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + git@1:2.43.0-1ubuntu7 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.1 + + libssh/libssh-4@0.10.6-2build2 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + krb5/krb5-locales@1.20.1-6ubuntu2 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    +

    Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:24.04 krb5.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    +

    Out-of-bounds Write

    diff --git a/docs/snyk/master/redis_7.0.15-alpine.html b/docs/snyk/master/redis_7.0.15-alpine.html index a0b91c7029d6..9fee82917810 100644 --- a/docs/snyk/master/redis_7.0.15-alpine.html +++ b/docs/snyk/master/redis_7.0.15-alpine.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:16:40 am (UTC+00:00)

    +

    May 19th 2024, 12:16:21 am (UTC+00:00)

    Scanned the following paths: @@ -467,8 +467,8 @@

    Snyk test report

    -
    1 known vulnerabilities
    -
    9 vulnerable dependency paths
    +
    0 known vulnerabilities
    +
    0 vulnerable dependency paths
    19 dependencies
    @@ -476,182 +476,7 @@

    Snyk test report

    -
    -
    -

    CVE-2024-2511

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Package Manager: alpine:3.19 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|redis@7.0.15-alpine and openssl/libcrypto3@3.1.4-r5 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - openssl/libcrypto3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - .redis-rundeps@20240315.235535 - - openssl/libcrypto3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - apk-tools/apk-tools@2.14.0-r5 - - openssl/libcrypto3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - busybox/ssl_client@1.36.1-r15 - - openssl/libcrypto3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - .redis-rundeps@20240315.235535 - - openssl/libssl3@3.1.4-r5 - - openssl/libcrypto3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - openssl/libssl3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - .redis-rundeps@20240315.235535 - - openssl/libssl3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - apk-tools/apk-tools@2.14.0-r5 - - openssl/libssl3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - busybox/ssl_client@1.36.1-r15 - - openssl/libssl3@3.1.4-r5 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. - See How to fix? for Alpine:3.19 relevant fixed versions and status.

    -

    Issue summary: Some non-default TLS server configurations can cause unbounded - memory growth when processing TLSv1.3 sessions

    -

    Impact summary: An attacker may exploit certain server configurations to trigger - unbounded memory growth that would lead to a Denial of Service

    -

    This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is - being used (but not if early_data support is also configured and the default - anti-replay protection is in use). In this case, under certain conditions, the - session cache can get into an incorrect state and it will fail to flush properly - as it fills. The session cache will continue to grow in an unbounded manner. A - malicious client could deliberately create the scenario for this failure to - force a Denial of Service. It may also happen by accident in normal operation.

    -

    This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS - clients.

    -

    The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL - 1.0.2 is also not affected by this issue.

    -

    Remediation

    -

    Upgrade Alpine:3.19 openssl to version 3.1.4-r6 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    + No known vulnerabilities detected.
    diff --git a/docs/snyk/v2.10.9/argocd-iac-install.html b/docs/snyk/v2.10.9/argocd-iac-install.html index 946bc64c22e0..1b9a9efab0dc 100644 --- a/docs/snyk/v2.10.9/argocd-iac-install.html +++ b/docs/snyk/v2.10.9/argocd-iac-install.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:22:26 am (UTC+00:00)

    +

    May 19th 2024, 12:22:08 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v2.10.9/argocd-iac-namespace-install.html b/docs/snyk/v2.10.9/argocd-iac-namespace-install.html index 34954868435f..54b01665ce71 100644 --- a/docs/snyk/v2.10.9/argocd-iac-namespace-install.html +++ b/docs/snyk/v2.10.9/argocd-iac-namespace-install.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:22:35 am (UTC+00:00)

    +

    May 19th 2024, 12:22:17 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v2.10.9/argocd-test.html b/docs/snyk/v2.10.9/argocd-test.html index 35bb83c34afb..f8505a7feefa 100644 --- a/docs/snyk/v2.10.9/argocd-test.html +++ b/docs/snyk/v2.10.9/argocd-test.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:20:34 am (UTC+00:00)

    +

    May 19th 2024, 12:20:12 am (UTC+00:00)

    Scanned the following paths: diff --git a/docs/snyk/v2.10.9/ghcr.io_dexidp_dex_v2.37.0.html b/docs/snyk/v2.10.9/ghcr.io_dexidp_dex_v2.37.0.html index 7c9ad71eb222..89c9d85876d0 100644 --- a/docs/snyk/v2.10.9/ghcr.io_dexidp_dex_v2.37.0.html +++ b/docs/snyk/v2.10.9/ghcr.io_dexidp_dex_v2.37.0.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:20:41 am (UTC+00:00)

    +

    May 19th 2024, 12:20:20 am (UTC+00:00)

    Scanned the following paths: diff --git a/docs/snyk/v2.10.9/haproxy_2.6.14-alpine.html b/docs/snyk/v2.10.9/haproxy_2.6.14-alpine.html index b0def3340ca0..fa1114b09e35 100644 --- a/docs/snyk/v2.10.9/haproxy_2.6.14-alpine.html +++ b/docs/snyk/v2.10.9/haproxy_2.6.14-alpine.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:20:44 am (UTC+00:00)

    +

    May 19th 2024, 12:20:24 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v2.10.9/quay.io_argoproj_argocd_v2.10.9.html b/docs/snyk/v2.10.9/quay.io_argoproj_argocd_v2.10.9.html index 3bc3e86dcf41..e2bb4ee040fc 100644 --- a/docs/snyk/v2.10.9/quay.io_argoproj_argocd_v2.10.9.html +++ b/docs/snyk/v2.10.9/quay.io_argoproj_argocd_v2.10.9.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:21:02 am (UTC+00:00)

    +

    May 19th 2024, 12:20:43 am (UTC+00:00)

    Scanned the following paths: @@ -850,7 +850,7 @@

    References

    -

    CVE-2024-26461

    +

    CVE-2024-26462

    @@ -1053,24 +1053,25 @@

    Detailed paths

    NVD Description

    Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.

    +

    Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.

    Remediation

    There is no fixed version for Ubuntu:22.04 krb5.

    References

    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    CVE-2024-26462

    +

    LGPL-3.0 license

    @@ -1081,20 +1082,20 @@

    CVE-2024-26462

    • - Manifest file: quay.io/argoproj/argocd:v2.10.9/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.10.9/argoproj/argo-cd/v2 /usr/local/bin/argocd
    • - Package Manager: ubuntu:22.04 + Package Manager: golang
    • - Vulnerable module: + Module: - krb5/libk5crypto3 + gopkg.in/retry.v1
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 and krb5/libk5crypto3@1.19.2-2ubuntu0.3 + github.com/argoproj/argo-cd/v2@* and gopkg.in/retry.v1@v1.0.3
    @@ -1107,159 +1108,69 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 + github.com/argoproj/argo-cd/v2@* - krb5/libk5crypto3@1.19.2-2ubuntu0.3 + gopkg.in/retry.v1@v1.0.3
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libk5crypto3@1.19.2-2ubuntu0.3 - - +
    - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - krb5/libk5crypto3@1.19.2-2ubuntu0.3 - - +
    • - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - +
    + +

    LGPL-3.0 license

    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - +
    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - +
    +

    More about this vulnerability

    +
    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 - - openssh/openssh-client@1:8.9p1-3ubuntu0.7 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - +
    • +
    +

    Infinite loop

    +
    - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 - - git@1:2.34.1-1ubuntu1.10 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - +
    + medium severity +
    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 - - git@1:2.34.1-1ubuntu1.10 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - - libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - +
    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - +
      +
    • + Manifest file: quay.io/argoproj/argocd:v2.10.9/argoproj/argo-cd/v2 /usr/local/bin/argocd +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: -
      • + google.golang.org/protobuf/internal/encoding/json + + +
    • Introduced through: + + github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/internal/encoding/json@v1.31.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 + github.com/argoproj/argo-cd/v2@* - krb5/libkrb5support0@1.19.2-2ubuntu0.3 + google.golang.org/protobuf/internal/encoding/json@v1.31.0 @@ -1270,27 +1181,28 @@

      Detailed paths

      -

      NVD Description

      -

      Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

      -

      Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.

      +

      Overview

      +

      Affected versions of this package are vulnerable to Infinite loop via the protojson.Unmarshal function. An attacker can cause a denial of service condition by unmarshaling certain forms of invalid JSON.

      +

      Note:

      +

      This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

      Remediation

      -

      There is no fixed version for Ubuntu:22.04 krb5.

      +

      Upgrade google.golang.org/protobuf/internal/encoding/json to version 1.33.0 or higher.

      References

      -

      More about this vulnerability

      +

      More about this vulnerability

    • -

    CVE-2024-26458

    +

    Stack-based Buffer Overflow

    @@ -1301,20 +1213,20 @@

    CVE-2024-26458

    • - Manifest file: quay.io/argoproj/argocd:v2.10.9/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.10.9/argoproj/argo-cd/v2 /usr/local/bin/argocd
    • - Package Manager: ubuntu:22.04 + Package Manager: golang
    • Vulnerable module: - krb5/libk5crypto3 + google.golang.org/protobuf/encoding/protojson
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 and krb5/libk5crypto3@1.19.2-2ubuntu0.3 + github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/encoding/protojson@v1.31.0
    @@ -1327,190 +1239,38 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 + github.com/argoproj/argo-cd/v2@* - krb5/libk5crypto3@1.19.2-2ubuntu0.3 + google.golang.org/protobuf/encoding/protojson@v1.31.0
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libk5crypto3@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - krb5/libk5crypto3@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 - - openssh/openssh-client@1:8.9p1-3ubuntu0.7 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 - - git@1:2.34.1-1ubuntu1.10 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 - - git@1:2.34.1-1ubuntu1.10 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - - libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 - - krb5/libkrb5support0@1.19.2-2ubuntu0.3 - - - -
      • -
    +
    -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.

    +

    Overview

    +

    Affected versions of this package are vulnerable to Stack-based Buffer Overflow when processing input that uses pathologically deep nesting.

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 krb5.

    +

    Upgrade google.golang.org/protobuf/encoding/protojson to version 1.32.0 or higher.

    References

    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    LGPL-3.0 license

    +

    Infinite loop

    @@ -1527,14 +1287,14 @@

    LGPL-3.0 license

    Package Manager: golang
  • - Module: + Vulnerable module: - gopkg.in/retry.v1 + google.golang.org/protobuf/encoding/protojson
  • Introduced through: - github.com/argoproj/argo-cd/v2@* and gopkg.in/retry.v1@v1.0.3 + github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/encoding/protojson@v1.31.0
    • @@ -1549,7 +1309,7 @@

    Detailed paths

    Introduced through: github.com/argoproj/argo-cd/v2@* - gopkg.in/retry.v1@v1.0.3 + google.golang.org/protobuf/encoding/protojson@v1.31.0 @@ -1560,17 +1320,28 @@

    Detailed paths

    -

    LGPL-3.0 license

    +

    Overview

    +

    Affected versions of this package are vulnerable to Infinite loop via the protojson.Unmarshal function. An attacker can cause a denial of service condition by unmarshaling certain forms of invalid JSON.

    +

    Note:

    +

    This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

    +

    Remediation

    +

    Upgrade google.golang.org/protobuf/encoding/protojson to version 1.33.0 or higher.

    +

    References

    +
    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    Infinite loop

    +

    Authentication Bypass by Capture-replay

    @@ -1589,12 +1360,12 @@

    Infinite loop

  • Vulnerable module: - google.golang.org/protobuf/internal/encoding/json + golang.org/x/crypto/ssh
  • Introduced through: - github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/internal/encoding/json@v1.31.0 + github.com/argoproj/argo-cd/v2@* and golang.org/x/crypto/ssh@v0.16.0
    • @@ -1609,7 +1380,7 @@

    Detailed paths

    Introduced through: github.com/argoproj/argo-cd/v2@* - google.golang.org/protobuf/internal/encoding/json@v1.31.0 + golang.org/x/crypto/ssh@v0.16.0 @@ -1621,27 +1392,54 @@

    Detailed paths

    Overview

    -

    Affected versions of this package are vulnerable to Infinite loop via the protojson.Unmarshal function. An attacker can cause a denial of service condition by unmarshaling certain forms of invalid JSON.

    +

    golang.org/x/crypto/ssh is a SSH client and server

    +

    Affected versions of this package are vulnerable to Authentication Bypass by Capture-replay during the establishment of the secure channel. An attacker can manipulate handshake sequence numbers to delete messages sent immediately after the channel is established.

    Note:

    -

    This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

    +
      +

    1. Sequence numbers are only validated once the channel is established and arbitrary messages are allowed during the handshake, allowing them to manipulate the sequence numbers.

      +
      2. +

    2. The potential consequences of the general Terrapin attack are dependent on the messages exchanged after the handshake concludes. If you are using a custom SSH service and do not resort to the authentication protocol, you should check that dropping the first few messages of a connection does not yield security risks.

      +
      3. +
    +

    Impact:

    +

    While cryptographically novel, there is no discernable impact on the integrity of SSH traffic beyond giving the attacker the ability to delete the message that enables some features related to keystroke timing obfuscation. To successfully carry out the exploitation, the connection needs to be protected using either the ChaCha20-Poly1305 or CBC with Encrypt-then-MAC encryption methods. The attacker must also be able to intercept and modify the connection's traffic.

    +

    Workaround

    +

    Temporarily disable the affected chacha20-poly1305@openssh.com encryption and *-etm@openssh.com MAC algorithms in the affected configuration, and use unaffected algorithms like AES-GCM instead.

    Remediation

    -

    Upgrade google.golang.org/protobuf/internal/encoding/json to version 1.33.0 or higher.

    +

    Upgrade golang.org/x/crypto/ssh to version 0.17.0 or higher.

    References

    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    Stack-based Buffer Overflow

    +

    MPL-2.0 license

    @@ -1658,14 +1456,14 @@

    Stack-based Buffer Overflow

    Package Manager: golang
  • - Vulnerable module: + Module: - google.golang.org/protobuf/encoding/protojson + github.com/r3labs/diff
  • Introduced through: - github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/encoding/protojson@v1.31.0 + github.com/argoproj/argo-cd/v2@* and github.com/r3labs/diff@v1.1.0
    • @@ -1680,7 +1478,7 @@

    Detailed paths

    Introduced through: github.com/argoproj/argo-cd/v2@* - google.golang.org/protobuf/encoding/protojson@v1.31.0 + github.com/r3labs/diff@v1.1.0 @@ -1691,25 +1489,17 @@

    Detailed paths

    -

    Overview

    -

    Affected versions of this package are vulnerable to Stack-based Buffer Overflow when processing input that uses pathologically deep nesting.

    -

    Remediation

    -

    Upgrade google.golang.org/protobuf/encoding/protojson to version 1.32.0 or higher.

    -

    References

    - +

    MPL-2.0 license

    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    Infinite loop

    +

    MPL-2.0 license

    @@ -1726,14 +1516,14 @@

    Infinite loop

    Package Manager: golang
  • - Vulnerable module: + Module: - google.golang.org/protobuf/encoding/protojson + github.com/hashicorp/go-version
  • Introduced through: - github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/encoding/protojson@v1.31.0 + github.com/argoproj/argo-cd/v2@* and github.com/hashicorp/go-version@v1.2.1
    • @@ -1748,236 +1538,7 @@

    Detailed paths

    Introduced through: github.com/argoproj/argo-cd/v2@* - google.golang.org/protobuf/encoding/protojson@v1.31.0 - - - - - - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Infinite loop via the protojson.Unmarshal function. An attacker can cause a denial of service condition by unmarshaling certain forms of invalid JSON.

    -

    Note:

    -

    This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

    -

    Remediation

    -

    Upgrade google.golang.org/protobuf/encoding/protojson to version 1.33.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Authentication Bypass by Capture-replay

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.10.9/argoproj/argo-cd/v2 /usr/local/bin/argocd -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/crypto/ssh -
      • - -
    • Introduced through: - - github.com/argoproj/argo-cd/v2@* and golang.org/x/crypto/ssh@v0.16.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/argoproj/argo-cd/v2@* - - golang.org/x/crypto/ssh@v0.16.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    golang.org/x/crypto/ssh is a SSH client and server

    -

    Affected versions of this package are vulnerable to Authentication Bypass by Capture-replay during the establishment of the secure channel. An attacker can manipulate handshake sequence numbers to delete messages sent immediately after the channel is established.

    -

    Note:

    -
      -

    1. Sequence numbers are only validated once the channel is established and arbitrary messages are allowed during the handshake, allowing them to manipulate the sequence numbers.

      -
      2. -

    2. The potential consequences of the general Terrapin attack are dependent on the messages exchanged after the handshake concludes. If you are using a custom SSH service and do not resort to the authentication protocol, you should check that dropping the first few messages of a connection does not yield security risks.

      -
      3. -
    -

    Impact:

    -

    While cryptographically novel, there is no discernable impact on the integrity of SSH traffic beyond giving the attacker the ability to delete the message that enables some features related to keystroke timing obfuscation. To successfully carry out the exploitation, the connection needs to be protected using either the ChaCha20-Poly1305 or CBC with Encrypt-then-MAC encryption methods. The attacker must also be able to intercept and modify the connection's traffic.

    -

    Workaround

    -

    Temporarily disable the affected chacha20-poly1305@openssh.com encryption and *-etm@openssh.com MAC algorithms in the affected configuration, and use unaffected algorithms like AES-GCM instead.

    -

    Remediation

    -

    Upgrade golang.org/x/crypto/ssh to version 0.17.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    MPL-2.0 license

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.10.9/argoproj/argo-cd/v2 /usr/local/bin/argocd -
      • -
    • - Package Manager: golang -
      • -
    • - Module: - - github.com/r3labs/diff -
      • - -
    • Introduced through: - - github.com/argoproj/argo-cd/v2@* and github.com/r3labs/diff@v1.1.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/argoproj/argo-cd/v2@* - - github.com/r3labs/diff@v1.1.0 - - - -
      • -
    - -
    - -
    - -

    MPL-2.0 license

    - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    MPL-2.0 license

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.10.9/argoproj/argo-cd/v2 /usr/local/bin/argocd -
      • -
    • - Package Manager: golang -
      • -
    • - Module: - - github.com/hashicorp/go-version -
      • - -
    • Introduced through: - - github.com/argoproj/argo-cd/v2@* and github.com/hashicorp/go-version@v1.2.1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/argoproj/argo-cd/v2@* - - github.com/hashicorp/go-version@v1.2.1 + github.com/hashicorp/go-version@v1.2.1 @@ -2702,20 +2263,620 @@

      Release of Invalid Pointer or Reference

      docker-image|quay.io/argoproj/argocd@v2.10.9 and patch@2.7.6-7build2 -
      • -
    + + + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + patch@2.7.6-7build2 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream patch package and not the patch package as distributed by Ubuntu. + See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    +

    An Invalid Pointer vulnerability exists in GNU patch 2.7 via the another_hunk function, which causes a Denial of Service.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:22.04 patch.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Double Free

    +
    + +
    + low severity +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v2.10.9/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:22.04 +
      • +
    • + Vulnerable module: + + patch +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v2.10.9 and patch@2.7.6-7build2 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + patch@2.7.6-7build2 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream patch package and not the patch package as distributed by Ubuntu. + See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    +

    A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:22.04 patch.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2023-50495

    +
    + +
    + low severity +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v2.10.9/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:22.04 +
      • +
    • + Vulnerable module: + + ncurses/libtinfo6 +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v2.10.9 and ncurses/libtinfo6@6.3-2ubuntu0.1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + bash@5.1-6ubuntu1.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + less@590-1ubuntu0.22.04.3 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + libedit/libedit2@3.1-20210910-1build1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + ncurses/libncurses6@6.3-2ubuntu0.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + ncurses/ncurses-bin@6.3-2ubuntu0.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + procps@2:3.3.17-6ubuntu2.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + util-linux@2.37.2-4ubuntu3.4 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + gnupg2/gpg@2.2.27-3ubuntu2.1 + + gnupg2/gpgconf@2.2.27-3ubuntu2.1 + + readline/libreadline8@8.1.2-1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + + pinentry/pinentry-curses@1.1.1-1build2 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + procps@2:3.3.17-6ubuntu2.1 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + + pinentry/pinentry-curses@1.1.1-1build2 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + ncurses/libncurses6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + procps@2:3.3.17-6ubuntu2.1 + + ncurses/libncurses6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + ncurses/ncurses-base@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + ncurses/ncurses-bin@6.3-2ubuntu0.1 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Ubuntu. + See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    +

    NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().

    +

    Remediation

    +

    There is no fixed version for Ubuntu:22.04 ncurses.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2023-45918

    +
    + +
    + low severity +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v2.10.9/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:22.04 +
      • +
    • + Vulnerable module: + + ncurses/libtinfo6 +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v2.10.9 and ncurses/libtinfo6@6.3-2ubuntu0.1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + bash@5.1-6ubuntu1.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + less@590-1ubuntu0.22.04.3 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + libedit/libedit2@3.1-20210910-1build1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + ncurses/libncurses6@6.3-2ubuntu0.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + ncurses/ncurses-bin@6.3-2ubuntu0.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + procps@2:3.3.17-6ubuntu2.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + util-linux@2.37.2-4ubuntu3.4 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + gnupg2/gpg@2.2.27-3ubuntu2.1 + + gnupg2/gpgconf@2.2.27-3ubuntu2.1 + + readline/libreadline8@8.1.2-1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + + pinentry/pinentry-curses@1.1.1-1build2 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + procps@2:3.3.17-6ubuntu2.1 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + + pinentry/pinentry-curses@1.1.1-1build2 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + -
      +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + ncurses/libncurses6@6.3-2ubuntu0.1 + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + procps@2:3.3.17-6ubuntu2.1 + + ncurses/libncurses6@6.3-2ubuntu0.1 + + -

      Detailed paths

      +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.9 + + ncurses/ncurses-base@6.3-2ubuntu0.1 + + -
    -

    Double Free

    +

    Resource Exhaustion

    @@ -2765,12 +2927,12 @@

    Double Free

  • Vulnerable module: - patch + libzstd/libzstd1
  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 and patch@2.7.6-7build2 + docker-image|quay.io/argoproj/argocd@v2.10.9 and libzstd/libzstd1@1.4.8+dfsg-3build1
    • @@ -2785,7 +2947,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.10.9 - patch@2.7.6-7build2 + libzstd/libzstd1@1.4.8+dfsg-3build1 @@ -2797,31 +2959,33 @@

    Detailed paths

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream patch package and not the patch package as distributed by Ubuntu. +

    Note: Versions mentioned in the description apply only to the upstream libzstd package and not the libzstd package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6.

    +

    A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 patch.

    +

    There is no fixed version for Ubuntu:22.04 libzstd.

    References

    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    CVE-2023-50495

    +

    Integer Overflow or Wraparound

    @@ -2840,12 +3004,12 @@

    CVE-2023-50495

  • Vulnerable module: - ncurses/libtinfo6 + krb5/libk5crypto3
  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 and ncurses/libtinfo6@6.3-2ubuntu0.1 + docker-image|quay.io/argoproj/argocd@v2.10.9 and krb5/libk5crypto3@1.19.2-2ubuntu0.3
    • @@ -2860,7 +3024,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.10.9 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -2869,31 +3033,19 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.10.9 - bash@5.1-6ubuntu1.1 + adduser@3.118ubuntu5 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 + shadow/passwd@1:4.8.1-2ubuntu2.2 - ncurses/libncursesw6@6.3-2ubuntu0.1 + pam/libpam-modules@1.4.0-11ubuntu2.4 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 + libnsl/libnsl2@1.3.0-2build2 - less@590-1ubuntu0.22.04.3 + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + + krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -2902,42 +3054,21 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.10.9 - libedit/libedit2@3.1-20210910-1build1 + adduser@3.118ubuntu5 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 + shadow/passwd@1:4.8.1-2ubuntu2.2 - ncurses/libncurses6@6.3-2ubuntu0.1 + pam/libpam-modules@1.4.0-11ubuntu2.4 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 + libnsl/libnsl2@1.3.0-2build2 - ncurses/ncurses-bin@6.3-2ubuntu0.1 + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - procps@2:3.3.17-6ubuntu2.1 + krb5/libkrb5-3@1.19.2-2ubuntu0.3 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -2946,9 +3077,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.10.9 - util-linux@2.37.2-4ubuntu3.4 - - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libkrb5-3@1.19.2-2ubuntu0.3 @@ -2957,28 +3086,19 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.10.9 - gnupg2/gpg@2.2.27-3ubuntu2.1 - - gnupg2/gpgconf@2.2.27-3ubuntu2.1 + adduser@3.118ubuntu5 - readline/libreadline8@8.1.2-1 + shadow/passwd@1:4.8.1-2ubuntu2.2 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 + pam/libpam-modules@1.4.0-11ubuntu2.4 - gnupg2/gnupg@2.2.27-3ubuntu2.1 + libnsl/libnsl2@1.3.0-2build2 - gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - pinentry/pinentry-curses@1.1.1-1build2 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libkrb5-3@1.19.2-2ubuntu0.3 @@ -2987,7 +3107,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.10.9 - ncurses/libncursesw6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -2996,9 +3116,9 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.10.9 - procps@2:3.3.17-6ubuntu2.1 + openssh/openssh-client@1:8.9p1-3ubuntu0.7 - ncurses/libncursesw6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3007,13 +3127,11 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.10.9 - gnupg2/gnupg@2.2.27-3ubuntu2.1 - - gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + git@1:2.34.1-1ubuntu1.10 - pinentry/pinentry-curses@1.1.1-1build2 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - ncurses/libncursesw6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3022,18 +3140,13 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.10.9 - ncurses/libncurses6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 + git@1:2.34.1-1ubuntu1.10 - procps@2:3.3.17-6ubuntu2.1 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - ncurses/libncurses6@6.3-2ubuntu0.1 + libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3042,7 +3155,17 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.10.9 - ncurses/ncurses-base@6.3-2ubuntu0.1 + adduser@3.118ubuntu5 + + shadow/passwd@1:4.8.1-2ubuntu2.2 + + pam/libpam-modules@1.4.0-11ubuntu2.4 + + libnsl/libnsl2@1.3.0-2build2 + + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3051,7 +3174,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.10.9 - ncurses/ncurses-bin@6.3-2ubuntu0.1 + krb5/libkrb5support0@1.19.2-2ubuntu0.3 @@ -3063,29 +3186,30 @@

    Detailed paths

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Ubuntu. +

    Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().

    +

    An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 ncurses.

    -

    References

    -
    • -

    CVE-2023-45918

    +

    CVE-2024-26461

    @@ -3104,12 +3228,12 @@

    CVE-2023-45918

  • Vulnerable module: - ncurses/libtinfo6 + krb5/libk5crypto3
  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 and ncurses/libtinfo6@6.3-2ubuntu0.1 + docker-image|quay.io/argoproj/argocd@v2.10.9 and krb5/libk5crypto3@1.19.2-2ubuntu0.3
    • @@ -3124,7 +3248,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.10.9 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -3133,31 +3257,19 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.10.9 - bash@5.1-6ubuntu1.1 + adduser@3.118ubuntu5 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 + shadow/passwd@1:4.8.1-2ubuntu2.2 - ncurses/libncursesw6@6.3-2ubuntu0.1 + pam/libpam-modules@1.4.0-11ubuntu2.4 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 + libnsl/libnsl2@1.3.0-2build2 - less@590-1ubuntu0.22.04.3 + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + + krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -3166,42 +3278,21 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.10.9 - libedit/libedit2@3.1-20210910-1build1 + adduser@3.118ubuntu5 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 + shadow/passwd@1:4.8.1-2ubuntu2.2 - ncurses/libncurses6@6.3-2ubuntu0.1 + pam/libpam-modules@1.4.0-11ubuntu2.4 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 + libnsl/libnsl2@1.3.0-2build2 - ncurses/ncurses-bin@6.3-2ubuntu0.1 + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - procps@2:3.3.17-6ubuntu2.1 + krb5/libkrb5-3@1.19.2-2ubuntu0.3 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -3210,9 +3301,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.10.9 - util-linux@2.37.2-4ubuntu3.4 - - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libkrb5-3@1.19.2-2ubuntu0.3 @@ -3221,28 +3310,19 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.10.9 - gnupg2/gpg@2.2.27-3ubuntu2.1 - - gnupg2/gpgconf@2.2.27-3ubuntu2.1 + adduser@3.118ubuntu5 - readline/libreadline8@8.1.2-1 + shadow/passwd@1:4.8.1-2ubuntu2.2 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 + pam/libpam-modules@1.4.0-11ubuntu2.4 - gnupg2/gnupg@2.2.27-3ubuntu2.1 + libnsl/libnsl2@1.3.0-2build2 - gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - pinentry/pinentry-curses@1.1.1-1build2 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libkrb5-3@1.19.2-2ubuntu0.3 @@ -3251,7 +3331,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.10.9 - ncurses/libncursesw6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3260,9 +3340,9 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.10.9 - procps@2:3.3.17-6ubuntu2.1 + openssh/openssh-client@1:8.9p1-3ubuntu0.7 - ncurses/libncursesw6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3271,13 +3351,11 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.10.9 - gnupg2/gnupg@2.2.27-3ubuntu2.1 - - gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + git@1:2.34.1-1ubuntu1.10 - pinentry/pinentry-curses@1.1.1-1build2 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - ncurses/libncursesw6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3286,27 +3364,13 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.10.9 - ncurses/libncurses6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 + git@1:2.34.1-1ubuntu1.10 - procps@2:3.3.17-6ubuntu2.1 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - ncurses/libncurses6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.9 + libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 - ncurses/ncurses-base@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3315,78 +3379,26 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.10.9 - ncurses/ncurses-bin@6.3-2ubuntu0.1 + adduser@3.118ubuntu5 + + shadow/passwd@1:4.8.1-2ubuntu2.2 + + pam/libpam-modules@1.4.0-11ubuntu2.4 + + libnsl/libnsl2@1.3.0-2build2 + + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3
    • - - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Ubuntu. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 ncurses.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Resource Exhaustion

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.10.9/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:22.04 -
      • -
    • - Vulnerable module: - - libzstd/libzstd1 -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v2.10.9 and libzstd/libzstd1@1.4.8+dfsg-3build1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
    -

    Integer Overflow or Wraparound

    +

    CVE-2024-26458

    @@ -3627,23 +3633,20 @@

    Detailed paths

    NVD Description

    Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.

    +

    Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.

    Remediation

    There is no fixed version for Ubuntu:22.04 krb5.

    References

    -

    More about this vulnerability

    +

    More about this vulnerability

    diff --git a/docs/snyk/v2.10.9/redis_7.0.15-alpine.html b/docs/snyk/v2.10.9/redis_7.0.15-alpine.html index 8c9ee9c06a8d..85521508e81d 100644 --- a/docs/snyk/v2.10.9/redis_7.0.15-alpine.html +++ b/docs/snyk/v2.10.9/redis_7.0.15-alpine.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:21:06 am (UTC+00:00)

    +

    May 19th 2024, 12:20:50 am (UTC+00:00)

    Scanned the following paths: @@ -467,8 +467,8 @@

    Snyk test report

    -
    1 known vulnerabilities
    -
    9 vulnerable dependency paths
    +
    0 known vulnerabilities
    +
    0 vulnerable dependency paths
    19 dependencies
    @@ -476,182 +476,7 @@

    Snyk test report

    -
    -
    -

    CVE-2024-2511

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Package Manager: alpine:3.19 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|redis@7.0.15-alpine and openssl/libcrypto3@3.1.4-r5 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - openssl/libcrypto3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - .redis-rundeps@20240315.235535 - - openssl/libcrypto3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - apk-tools/apk-tools@2.14.0-r5 - - openssl/libcrypto3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - busybox/ssl_client@1.36.1-r15 - - openssl/libcrypto3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - .redis-rundeps@20240315.235535 - - openssl/libssl3@3.1.4-r5 - - openssl/libcrypto3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - openssl/libssl3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - .redis-rundeps@20240315.235535 - - openssl/libssl3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - apk-tools/apk-tools@2.14.0-r5 - - openssl/libssl3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - busybox/ssl_client@1.36.1-r15 - - openssl/libssl3@3.1.4-r5 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. - See How to fix? for Alpine:3.19 relevant fixed versions and status.

    -

    Issue summary: Some non-default TLS server configurations can cause unbounded - memory growth when processing TLSv1.3 sessions

    -

    Impact summary: An attacker may exploit certain server configurations to trigger - unbounded memory growth that would lead to a Denial of Service

    -

    This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is - being used (but not if early_data support is also configured and the default - anti-replay protection is in use). In this case, under certain conditions, the - session cache can get into an incorrect state and it will fail to flush properly - as it fills. The session cache will continue to grow in an unbounded manner. A - malicious client could deliberately create the scenario for this failure to - force a Denial of Service. It may also happen by accident in normal operation.

    -

    This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS - clients.

    -

    The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL - 1.0.2 is also not affected by this issue.

    -

    Remediation

    -

    Upgrade Alpine:3.19 openssl to version 3.1.4-r6 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    + No known vulnerabilities detected.
    diff --git a/docs/snyk/v2.11.0-rc3/argocd-iac-install.html b/docs/snyk/v2.11.0-rc3/argocd-iac-install.html index 34867c2bb5cb..819ad88d27a5 100644 --- a/docs/snyk/v2.11.0-rc3/argocd-iac-install.html +++ b/docs/snyk/v2.11.0-rc3/argocd-iac-install.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:20:15 am (UTC+00:00)

    +

    May 19th 2024, 12:19:52 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v2.11.0-rc3/argocd-iac-namespace-install.html b/docs/snyk/v2.11.0-rc3/argocd-iac-namespace-install.html index 26e7b5536319..5a7fbccbb343 100644 --- a/docs/snyk/v2.11.0-rc3/argocd-iac-namespace-install.html +++ b/docs/snyk/v2.11.0-rc3/argocd-iac-namespace-install.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:20:23 am (UTC+00:00)

    +

    May 19th 2024, 12:20:01 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v2.11.0-rc3/argocd-test.html b/docs/snyk/v2.11.0-rc3/argocd-test.html index 32bb15b1630e..75e671e4b102 100644 --- a/docs/snyk/v2.11.0-rc3/argocd-test.html +++ b/docs/snyk/v2.11.0-rc3/argocd-test.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:18:22 am (UTC+00:00)

    +

    May 19th 2024, 12:18:00 am (UTC+00:00)

    Scanned the following paths: diff --git a/docs/snyk/v2.11.0-rc3/ghcr.io_dexidp_dex_v2.38.0.html b/docs/snyk/v2.11.0-rc3/ghcr.io_dexidp_dex_v2.38.0.html index fb1fd786706f..4b3d46a8a0f6 100644 --- a/docs/snyk/v2.11.0-rc3/ghcr.io_dexidp_dex_v2.38.0.html +++ b/docs/snyk/v2.11.0-rc3/ghcr.io_dexidp_dex_v2.38.0.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:18:27 am (UTC+00:00)

    +

    May 19th 2024, 12:18:05 am (UTC+00:00)

    Scanned the following paths: diff --git a/docs/snyk/v2.11.0-rc3/haproxy_2.6.14-alpine.html b/docs/snyk/v2.11.0-rc3/haproxy_2.6.14-alpine.html index 063d929aa120..44979eafbfdf 100644 --- a/docs/snyk/v2.11.0-rc3/haproxy_2.6.14-alpine.html +++ b/docs/snyk/v2.11.0-rc3/haproxy_2.6.14-alpine.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:18:31 am (UTC+00:00)

    +

    May 19th 2024, 12:18:09 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v2.11.0-rc3/quay.io_argoproj_argocd_v2.11.0-rc3.html b/docs/snyk/v2.11.0-rc3/quay.io_argoproj_argocd_v2.11.0-rc3.html index 9cdfa2b6de39..0d2775074d09 100644 --- a/docs/snyk/v2.11.0-rc3/quay.io_argoproj_argocd_v2.11.0-rc3.html +++ b/docs/snyk/v2.11.0-rc3/quay.io_argoproj_argocd_v2.11.0-rc3.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:18:51 am (UTC+00:00)

    +

    May 19th 2024, 12:18:29 am (UTC+00:00)

    Scanned the following paths: @@ -850,7 +850,7 @@

    References

    -

    CVE-2024-26461

    +

    CVE-2024-26462

    @@ -1053,24 +1053,25 @@

    Detailed paths

    NVD Description

    Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.

    +

    Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.

    Remediation

    There is no fixed version for Ubuntu:22.04 krb5.

    References

    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    CVE-2024-26462

    +

    LGPL-3.0 license

    @@ -1081,20 +1082,20 @@

    CVE-2024-26462

    • - Manifest file: quay.io/argoproj/argocd:v2.11.0-rc3/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.11.0-rc3/argoproj/argo-cd/v2 /usr/local/bin/argocd
    • - Package Manager: ubuntu:22.04 + Package Manager: golang
    • - Vulnerable module: + Module: - krb5/libk5crypto3 + gopkg.in/retry.v1
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 and krb5/libk5crypto3@1.19.2-2ubuntu0.3 + github.com/argoproj/argo-cd/v2@* and gopkg.in/retry.v1@v1.0.3
    @@ -1107,159 +1108,69 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + github.com/argoproj/argo-cd/v2@* - krb5/libk5crypto3@1.19.2-2ubuntu0.3 + gopkg.in/retry.v1@v1.0.3
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libk5crypto3@1.19.2-2ubuntu0.3 - - +
    - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - krb5/libk5crypto3@1.19.2-2ubuntu0.3 - - +
    • - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - +
    + +

    LGPL-3.0 license

    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - +
    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - +
    +

    More about this vulnerability

    +
    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - - openssh/openssh-client@1:8.9p1-3ubuntu0.7 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - +
    • +
    +

    Infinite loop

    +
    - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - - git@1:2.34.1-1ubuntu1.10 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - +
    + medium severity +
    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - - git@1:2.34.1-1ubuntu1.10 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - - libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - +
    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - +
      +
    • + Manifest file: quay.io/argoproj/argocd:v2.11.0-rc3/argoproj/argo-cd/v2 /usr/local/bin/argocd +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: -
      • + google.golang.org/protobuf/internal/encoding/json + + +
    • Introduced through: + + github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/internal/encoding/json@v1.31.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + github.com/argoproj/argo-cd/v2@* - krb5/libkrb5support0@1.19.2-2ubuntu0.3 + google.golang.org/protobuf/internal/encoding/json@v1.31.0 @@ -1270,27 +1181,28 @@

      Detailed paths

      -

      NVD Description

      -

      Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

      -

      Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.

      +

      Overview

      +

      Affected versions of this package are vulnerable to Infinite loop via the protojson.Unmarshal function. An attacker can cause a denial of service condition by unmarshaling certain forms of invalid JSON.

      +

      Note:

      +

      This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

      Remediation

      -

      There is no fixed version for Ubuntu:22.04 krb5.

      +

      Upgrade google.golang.org/protobuf/internal/encoding/json to version 1.33.0 or higher.

      References

      -

      More about this vulnerability

      +

      More about this vulnerability

    • -

    CVE-2024-26458

    +

    Stack-based Buffer Overflow

    @@ -1301,20 +1213,20 @@

    CVE-2024-26458

    • - Manifest file: quay.io/argoproj/argocd:v2.11.0-rc3/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.11.0-rc3/argoproj/argo-cd/v2 /usr/local/bin/argocd
    • - Package Manager: ubuntu:22.04 + Package Manager: golang
    • Vulnerable module: - krb5/libk5crypto3 + google.golang.org/protobuf/encoding/protojson
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 and krb5/libk5crypto3@1.19.2-2ubuntu0.3 + github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/encoding/protojson@v1.31.0
    @@ -1327,190 +1239,38 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + github.com/argoproj/argo-cd/v2@* - krb5/libk5crypto3@1.19.2-2ubuntu0.3 + google.golang.org/protobuf/encoding/protojson@v1.31.0
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libk5crypto3@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - krb5/libk5crypto3@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - - openssh/openssh-client@1:8.9p1-3ubuntu0.7 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - - git@1:2.34.1-1ubuntu1.10 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - - git@1:2.34.1-1ubuntu1.10 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - - libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - - krb5/libkrb5support0@1.19.2-2ubuntu0.3 - - - -
      • -
    +
    -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.

    +

    Overview

    +

    Affected versions of this package are vulnerable to Stack-based Buffer Overflow when processing input that uses pathologically deep nesting.

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 krb5.

    +

    Upgrade google.golang.org/protobuf/encoding/protojson to version 1.32.0 or higher.

    References

    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    LGPL-3.0 license

    +

    Infinite loop

    @@ -1527,14 +1287,14 @@

    LGPL-3.0 license

    Package Manager: golang
  • - Module: + Vulnerable module: - gopkg.in/retry.v1 + google.golang.org/protobuf/encoding/protojson
  • Introduced through: - github.com/argoproj/argo-cd/v2@* and gopkg.in/retry.v1@v1.0.3 + github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/encoding/protojson@v1.31.0
    • @@ -1549,7 +1309,7 @@

    Detailed paths

    Introduced through: github.com/argoproj/argo-cd/v2@* - gopkg.in/retry.v1@v1.0.3 + google.golang.org/protobuf/encoding/protojson@v1.31.0 @@ -1560,17 +1320,28 @@

    Detailed paths

    -

    LGPL-3.0 license

    +

    Overview

    +

    Affected versions of this package are vulnerable to Infinite loop via the protojson.Unmarshal function. An attacker can cause a denial of service condition by unmarshaling certain forms of invalid JSON.

    +

    Note:

    +

    This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

    +

    Remediation

    +

    Upgrade google.golang.org/protobuf/encoding/protojson to version 1.33.0 or higher.

    +

    References

    +
    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    Infinite loop

    +

    MPL-2.0 license

    @@ -1587,14 +1358,14 @@

    Infinite loop

    Package Manager: golang
  • - Vulnerable module: + Module: - google.golang.org/protobuf/internal/encoding/json + github.com/r3labs/diff
  • Introduced through: - github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/internal/encoding/json@v1.31.0 + github.com/argoproj/argo-cd/v2@* and github.com/r3labs/diff@v1.1.0
    • @@ -1609,7 +1380,7 @@

    Detailed paths

    Introduced through: github.com/argoproj/argo-cd/v2@* - google.golang.org/protobuf/internal/encoding/json@v1.31.0 + github.com/r3labs/diff@v1.1.0 @@ -1620,28 +1391,17 @@

    Detailed paths

    -

    Overview

    -

    Affected versions of this package are vulnerable to Infinite loop via the protojson.Unmarshal function. An attacker can cause a denial of service condition by unmarshaling certain forms of invalid JSON.

    -

    Note:

    -

    This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

    -

    Remediation

    -

    Upgrade google.golang.org/protobuf/internal/encoding/json to version 1.33.0 or higher.

    -

    References

    - +

    MPL-2.0 license

    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    Stack-based Buffer Overflow

    +

    MPL-2.0 license

    @@ -1658,14 +1418,14 @@

    Stack-based Buffer Overflow

    Package Manager: golang
  • - Vulnerable module: + Module: - google.golang.org/protobuf/encoding/protojson + github.com/hashicorp/go-version
  • Introduced through: - github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/encoding/protojson@v1.31.0 + github.com/argoproj/argo-cd/v2@* and github.com/hashicorp/go-version@v1.2.1
    • @@ -1680,7 +1440,7 @@

    Detailed paths

    Introduced through: github.com/argoproj/argo-cd/v2@* - google.golang.org/protobuf/encoding/protojson@v1.31.0 + github.com/hashicorp/go-version@v1.2.1 @@ -1691,25 +1451,17 @@

    Detailed paths

    -

    Overview

    -

    Affected versions of this package are vulnerable to Stack-based Buffer Overflow when processing input that uses pathologically deep nesting.

    -

    Remediation

    -

    Upgrade google.golang.org/protobuf/encoding/protojson to version 1.32.0 or higher.

    -

    References

    - +

    MPL-2.0 license

    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    Infinite loop

    +

    MPL-2.0 license

    @@ -1726,14 +1478,14 @@

    Infinite loop

    Package Manager: golang
  • - Vulnerable module: + Module: - google.golang.org/protobuf/encoding/protojson + github.com/hashicorp/go-retryablehttp
  • Introduced through: - github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/encoding/protojson@v1.31.0 + github.com/argoproj/argo-cd/v2@* and github.com/hashicorp/go-retryablehttp@v0.7.4
    • @@ -1748,7 +1500,7 @@

    Detailed paths

    Introduced through: github.com/argoproj/argo-cd/v2@* - google.golang.org/protobuf/encoding/protojson@v1.31.0 + github.com/hashicorp/go-retryablehttp@v0.7.4 @@ -1759,23 +1511,12 @@

    Detailed paths

    -

    Overview

    -

    Affected versions of this package are vulnerable to Infinite loop via the protojson.Unmarshal function. An attacker can cause a denial of service condition by unmarshaling certain forms of invalid JSON.

    -

    Note:

    -

    This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

    -

    Remediation

    -

    Upgrade google.golang.org/protobuf/encoding/protojson to version 1.33.0 or higher.

    -

    References

    - +

    MPL-2.0 license

    -

    More about this vulnerability

    +

    More about this vulnerability

    @@ -1791,7 +1532,7 @@

    MPL-2.0 license

    • - Manifest file: quay.io/argoproj/argocd:v2.11.0-rc3/argoproj/argo-cd/v2 /usr/local/bin/argocd + Manifest file: quay.io/argoproj/argocd:v2.11.0-rc3/helm/v3 /usr/local/bin/helm
    • Package Manager: golang @@ -1799,12 +1540,12 @@

      MPL-2.0 license

    • Module: - github.com/r3labs/diff + github.com/hashicorp/go-multierror
    • Introduced through: - github.com/argoproj/argo-cd/v2@* and github.com/r3labs/diff@v1.1.0 + helm.sh/helm/v3@* and github.com/hashicorp/go-multierror@v1.1.1
    @@ -1817,9 +1558,9 @@

    Detailed paths

    @@ -1859,187 +1600,7 @@

    MPL-2.0 license

  • Module: - github.com/hashicorp/go-version -
    • - -
  • Introduced through: - - github.com/argoproj/argo-cd/v2@* and github.com/hashicorp/go-version@v1.2.1 - -
    • - - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/argoproj/argo-cd/v2@* - - github.com/hashicorp/go-version@v1.2.1 - - - -
      • -
    - -
    - -
    - -

    MPL-2.0 license

    - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    MPL-2.0 license

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.11.0-rc3/argoproj/argo-cd/v2 /usr/local/bin/argocd -
      • -
    • - Package Manager: golang -
      • -
    • - Module: - - github.com/hashicorp/go-retryablehttp -
      • - -
    • Introduced through: - - github.com/argoproj/argo-cd/v2@* and github.com/hashicorp/go-retryablehttp@v0.7.4 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/argoproj/argo-cd/v2@* - - github.com/hashicorp/go-retryablehttp@v0.7.4 - - - -
      • -
    - -
    - -
    - -

    MPL-2.0 license

    - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    MPL-2.0 license

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.11.0-rc3/helm/v3 /usr/local/bin/helm -
      • -
    • - Package Manager: golang -
      • -
    • - Module: - - github.com/hashicorp/go-multierror -
      • - -
    • Introduced through: - - helm.sh/helm/v3@* and github.com/hashicorp/go-multierror@v1.1.1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - helm.sh/helm/v3@* - - github.com/hashicorp/go-multierror@v1.1.1 - - - -
      • -
    - -
    - -
    - -

    MPL-2.0 license

    - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    MPL-2.0 license

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.11.0-rc3/argoproj/argo-cd/v2 /usr/local/bin/argocd -
      • -
    • - Package Manager: golang -
      • -
    • - Module: - - github.com/hashicorp/go-cleanhttp + github.com/hashicorp/go-cleanhttp
    • Introduced through: @@ -2913,12 +2474,575 @@

      References

      -

      More about this vulnerability

      +

      More about this vulnerability

      +
      + +
    +
    +

    CVE-2023-45918

    +
    + +
    + low severity +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v2.11.0-rc3/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:22.04 +
      • +
    • + Vulnerable module: + + ncurses/libtinfo6 +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 and ncurses/libtinfo6@6.3-2ubuntu0.1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + bash@5.1-6ubuntu1.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + less@590-1ubuntu0.22.04.3 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + libedit/libedit2@3.1-20210910-1build1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + ncurses/libncurses6@6.3-2ubuntu0.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + ncurses/ncurses-bin@6.3-2ubuntu0.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + procps@2:3.3.17-6ubuntu2.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + util-linux@2.37.2-4ubuntu3.4 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + gnupg2/gpg@2.2.27-3ubuntu2.1 + + gnupg2/gpgconf@2.2.27-3ubuntu2.1 + + readline/libreadline8@8.1.2-1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + + pinentry/pinentry-curses@1.1.1-1build2 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + procps@2:3.3.17-6ubuntu2.1 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + + pinentry/pinentry-curses@1.1.1-1build2 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + ncurses/libncurses6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + procps@2:3.3.17-6ubuntu2.1 + + ncurses/libncurses6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + ncurses/ncurses-base@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + ncurses/ncurses-bin@6.3-2ubuntu0.1 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Ubuntu. + See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    +

    ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:22.04 ncurses.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Resource Exhaustion

    +
    + +
    + low severity +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v2.11.0-rc3/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:22.04 +
      • +
    • + Vulnerable module: + + libzstd/libzstd1 +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 and libzstd/libzstd1@1.4.8+dfsg-3build1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + libzstd/libzstd1@1.4.8+dfsg-3build1 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream libzstd package and not the libzstd package as distributed by Ubuntu. + See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    +

    A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:22.04 libzstd.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Integer Overflow or Wraparound

    +
    + +
    + low severity +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v2.11.0-rc3/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:22.04 +
      • +
    • + Vulnerable module: + + krb5/libk5crypto3 +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 and krb5/libk5crypto3@1.19.2-2ubuntu0.3 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + krb5/libk5crypto3@1.19.2-2ubuntu0.3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + adduser@3.118ubuntu5 + + shadow/passwd@1:4.8.1-2ubuntu2.2 + + pam/libpam-modules@1.4.0-11ubuntu2.4 + + libnsl/libnsl2@1.3.0-2build2 + + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + + krb5/libk5crypto3@1.19.2-2ubuntu0.3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + adduser@3.118ubuntu5 + + shadow/passwd@1:4.8.1-2ubuntu2.2 + + pam/libpam-modules@1.4.0-11ubuntu2.4 + + libnsl/libnsl2@1.3.0-2build2 + + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + + krb5/libkrb5-3@1.19.2-2ubuntu0.3 + + krb5/libk5crypto3@1.19.2-2ubuntu0.3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + krb5/libkrb5-3@1.19.2-2ubuntu0.3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + adduser@3.118ubuntu5 + + shadow/passwd@1:4.8.1-2ubuntu2.2 + + pam/libpam-modules@1.4.0-11ubuntu2.4 + + libnsl/libnsl2@1.3.0-2build2 + + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + + krb5/libkrb5-3@1.19.2-2ubuntu0.3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + openssh/openssh-client@1:8.9p1-3ubuntu0.7 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + git@1:2.34.1-1ubuntu1.10 + + curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + git@1:2.34.1-1ubuntu1.10 + + curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 + + libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + adduser@3.118ubuntu5 + + shadow/passwd@1:4.8.1-2ubuntu2.2 + + pam/libpam-modules@1.4.0-11ubuntu2.4 + + libnsl/libnsl2@1.3.0-2build2 + + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + + krb5/libkrb5support0@1.19.2-2ubuntu0.3 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. + See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    +

    An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:22.04 krb5.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    -

    CVE-2023-45918

    +

    CVE-2024-26461

    @@ -2937,12 +3061,12 @@

    CVE-2023-45918

  • Vulnerable module: - ncurses/libtinfo6 + krb5/libk5crypto3
  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 and ncurses/libtinfo6@6.3-2ubuntu0.1 + docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 and krb5/libk5crypto3@1.19.2-2ubuntu0.3
    • @@ -2957,7 +3081,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -2966,31 +3090,19 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - bash@5.1-6ubuntu1.1 + adduser@3.118ubuntu5 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + shadow/passwd@1:4.8.1-2ubuntu2.2 - ncurses/libncursesw6@6.3-2ubuntu0.1 + pam/libpam-modules@1.4.0-11ubuntu2.4 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + libnsl/libnsl2@1.3.0-2build2 - less@590-1ubuntu0.22.04.3 + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + + krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -2999,42 +3111,21 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - libedit/libedit2@3.1-20210910-1build1 + adduser@3.118ubuntu5 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + shadow/passwd@1:4.8.1-2ubuntu2.2 - ncurses/libncurses6@6.3-2ubuntu0.1 + pam/libpam-modules@1.4.0-11ubuntu2.4 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + libnsl/libnsl2@1.3.0-2build2 - ncurses/ncurses-bin@6.3-2ubuntu0.1 + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - procps@2:3.3.17-6ubuntu2.1 + krb5/libkrb5-3@1.19.2-2ubuntu0.3 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -3043,9 +3134,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - util-linux@2.37.2-4ubuntu3.4 - - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libkrb5-3@1.19.2-2ubuntu0.3 @@ -3054,28 +3143,19 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - gnupg2/gpg@2.2.27-3ubuntu2.1 - - gnupg2/gpgconf@2.2.27-3ubuntu2.1 + adduser@3.118ubuntu5 - readline/libreadline8@8.1.2-1 + shadow/passwd@1:4.8.1-2ubuntu2.2 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + pam/libpam-modules@1.4.0-11ubuntu2.4 - gnupg2/gnupg@2.2.27-3ubuntu2.1 + libnsl/libnsl2@1.3.0-2build2 - gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - pinentry/pinentry-curses@1.1.1-1build2 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libkrb5-3@1.19.2-2ubuntu0.3 @@ -3084,7 +3164,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - ncurses/libncursesw6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3093,9 +3173,9 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - procps@2:3.3.17-6ubuntu2.1 + openssh/openssh-client@1:8.9p1-3ubuntu0.7 - ncurses/libncursesw6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3104,13 +3184,11 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - gnupg2/gnupg@2.2.27-3ubuntu2.1 - - gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + git@1:2.34.1-1ubuntu1.10 - pinentry/pinentry-curses@1.1.1-1build2 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - ncurses/libncursesw6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3119,27 +3197,13 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - ncurses/libncurses6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + git@1:2.34.1-1ubuntu1.10 - procps@2:3.3.17-6ubuntu2.1 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - ncurses/libncurses6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 + libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 - ncurses/ncurses-base@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3148,78 +3212,26 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 - ncurses/ncurses-bin@6.3-2ubuntu0.1 + adduser@3.118ubuntu5 + + shadow/passwd@1:4.8.1-2ubuntu2.2 + + pam/libpam-modules@1.4.0-11ubuntu2.4 + + libnsl/libnsl2@1.3.0-2build2 + + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3
    • - - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Ubuntu. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 ncurses.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Resource Exhaustion

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.11.0-rc3/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:22.04 -
      • -
    • - Vulnerable module: - - libzstd/libzstd1 -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v2.11.0-rc3 and libzstd/libzstd1@1.4.8+dfsg-3build1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
    -

    Integer Overflow or Wraparound

    +

    CVE-2024-26458

    @@ -3460,23 +3466,20 @@

    Detailed paths

    NVD Description

    Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.

    +

    Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.

    Remediation

    There is no fixed version for Ubuntu:22.04 krb5.

    References

    -

    More about this vulnerability

    +

    More about this vulnerability

    diff --git a/docs/snyk/v2.11.0-rc3/redis_7.0.14-alpine.html b/docs/snyk/v2.11.0-rc3/redis_7.0.14-alpine.html index e346bca7655a..3098ab07a6fa 100644 --- a/docs/snyk/v2.11.0-rc3/redis_7.0.14-alpine.html +++ b/docs/snyk/v2.11.0-rc3/redis_7.0.14-alpine.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:18:56 am (UTC+00:00)

    +

    May 19th 2024, 12:18:35 am (UTC+00:00)

    Scanned the following paths: diff --git a/docs/snyk/v2.8.18/argocd-iac-install.html b/docs/snyk/v2.8.18/argocd-iac-install.html index d96fcc452bb0..f99e637b1be4 100644 --- a/docs/snyk/v2.8.18/argocd-iac-install.html +++ b/docs/snyk/v2.8.18/argocd-iac-install.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:26:37 am (UTC+00:00)

    +

    May 19th 2024, 12:26:31 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v2.8.18/argocd-iac-namespace-install.html b/docs/snyk/v2.8.18/argocd-iac-namespace-install.html index 92d8dd0d6a7c..dcc47f8181ca 100644 --- a/docs/snyk/v2.8.18/argocd-iac-namespace-install.html +++ b/docs/snyk/v2.8.18/argocd-iac-namespace-install.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:26:45 am (UTC+00:00)

    +

    May 19th 2024, 12:26:41 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v2.8.18/argocd-test.html b/docs/snyk/v2.8.18/argocd-test.html index 2c70cafaf908..b0f63c4dc03d 100644 --- a/docs/snyk/v2.8.18/argocd-test.html +++ b/docs/snyk/v2.8.18/argocd-test.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:24:58 am (UTC+00:00)

    +

    May 19th 2024, 12:24:53 am (UTC+00:00)

    Scanned the following paths: diff --git a/docs/snyk/v2.8.18/ghcr.io_dexidp_dex_v2.37.0.html b/docs/snyk/v2.8.18/ghcr.io_dexidp_dex_v2.37.0.html index d4b292a49d0d..f407e4b750f6 100644 --- a/docs/snyk/v2.8.18/ghcr.io_dexidp_dex_v2.37.0.html +++ b/docs/snyk/v2.8.18/ghcr.io_dexidp_dex_v2.37.0.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:25:05 am (UTC+00:00)

    +

    May 19th 2024, 12:24:58 am (UTC+00:00)

    Scanned the following paths: diff --git a/docs/snyk/v2.8.18/haproxy_2.6.14-alpine.html b/docs/snyk/v2.8.18/haproxy_2.6.14-alpine.html index 0cd475021628..9b045aea3af2 100644 --- a/docs/snyk/v2.8.18/haproxy_2.6.14-alpine.html +++ b/docs/snyk/v2.8.18/haproxy_2.6.14-alpine.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:25:09 am (UTC+00:00)

    +

    May 19th 2024, 12:25:02 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v2.8.18/quay.io_argoproj_argocd_v2.8.18.html b/docs/snyk/v2.8.18/quay.io_argoproj_argocd_v2.8.18.html index c52c87c03f4c..795a9d43dce5 100644 --- a/docs/snyk/v2.8.18/quay.io_argoproj_argocd_v2.8.18.html +++ b/docs/snyk/v2.8.18/quay.io_argoproj_argocd_v2.8.18.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:25:26 am (UTC+00:00)

    +

    May 19th 2024, 12:25:21 am (UTC+00:00)

    Scanned the following paths: @@ -1103,7 +1103,7 @@

    References

    -

    CVE-2024-26461

    +

    CVE-2024-26462

    @@ -1306,24 +1306,25 @@

    Detailed paths

    NVD Description

    Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.

    +

    Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.

    Remediation

    There is no fixed version for Ubuntu:22.04 krb5.

    References

    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    CVE-2024-26462

    +

    LGPL-3.0 license

    @@ -1334,20 +1335,20 @@

    CVE-2024-26462

    • - Manifest file: quay.io/argoproj/argocd:v2.8.18/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.8.18/argoproj/argo-cd/v2 /usr/local/bin/argocd
    • - Package Manager: ubuntu:22.04 + Package Manager: golang
    • - Vulnerable module: + Module: - krb5/libk5crypto3 + gopkg.in/retry.v1
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 and krb5/libk5crypto3@1.19.2-2ubuntu0.3 + github.com/argoproj/argo-cd/v2@* and gopkg.in/retry.v1@v1.0.3
    @@ -1360,159 +1361,69 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 + github.com/argoproj/argo-cd/v2@* - krb5/libk5crypto3@1.19.2-2ubuntu0.3 + gopkg.in/retry.v1@v1.0.3
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libk5crypto3@1.19.2-2ubuntu0.3 - - +
    - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - krb5/libk5crypto3@1.19.2-2ubuntu0.3 - - +
    • - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - +
    + +

    LGPL-3.0 license

    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - +
    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - +
    +

    More about this vulnerability

    +
    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 - - openssh/openssh-client@1:8.9p1-3ubuntu0.7 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - +
    • +
    +

    Infinite loop

    +
    - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 - - git@1:2.34.1-1ubuntu1.10 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - +
    + medium severity +
    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 - - git@1:2.34.1-1ubuntu1.10 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - - libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - +
    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - +
      +
    • + Manifest file: quay.io/argoproj/argocd:v2.8.18/argoproj/argo-cd/v2 /usr/local/bin/argocd +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: -
      • + google.golang.org/protobuf/internal/encoding/json + + +
    • Introduced through: + + github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/internal/encoding/json@v1.31.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 + github.com/argoproj/argo-cd/v2@* - krb5/libkrb5support0@1.19.2-2ubuntu0.3 + google.golang.org/protobuf/internal/encoding/json@v1.31.0 @@ -1523,27 +1434,28 @@

      Detailed paths

      -

      NVD Description

      -

      Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

      -

      Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.

      +

      Overview

      +

      Affected versions of this package are vulnerable to Infinite loop via the protojson.Unmarshal function. An attacker can cause a denial of service condition by unmarshaling certain forms of invalid JSON.

      +

      Note:

      +

      This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

      Remediation

      -

      There is no fixed version for Ubuntu:22.04 krb5.

      +

      Upgrade google.golang.org/protobuf/internal/encoding/json to version 1.33.0 or higher.

      References

      -

      More about this vulnerability

      +

      More about this vulnerability

    • -

    CVE-2024-26458

    +

    Stack-based Buffer Overflow

    @@ -1554,20 +1466,20 @@

    CVE-2024-26458

    • - Manifest file: quay.io/argoproj/argocd:v2.8.18/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.8.18/argoproj/argo-cd/v2 /usr/local/bin/argocd
    • - Package Manager: ubuntu:22.04 + Package Manager: golang
    • Vulnerable module: - krb5/libk5crypto3 + google.golang.org/protobuf/encoding/protojson
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 and krb5/libk5crypto3@1.19.2-2ubuntu0.3 + github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/encoding/protojson@v1.31.0
    @@ -1580,190 +1492,38 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 + github.com/argoproj/argo-cd/v2@* - krb5/libk5crypto3@1.19.2-2ubuntu0.3 + google.golang.org/protobuf/encoding/protojson@v1.31.0
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libk5crypto3@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - krb5/libk5crypto3@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 - - openssh/openssh-client@1:8.9p1-3ubuntu0.7 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 - - git@1:2.34.1-1ubuntu1.10 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 - - git@1:2.34.1-1ubuntu1.10 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - - libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 - - krb5/libkrb5support0@1.19.2-2ubuntu0.3 - - - -
      • -
    +
    -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.

    +

    Overview

    +

    Affected versions of this package are vulnerable to Stack-based Buffer Overflow when processing input that uses pathologically deep nesting.

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 krb5.

    +

    Upgrade google.golang.org/protobuf/encoding/protojson to version 1.32.0 or higher.

    References

    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    LGPL-3.0 license

    +

    Infinite loop

    @@ -1780,14 +1540,14 @@

    LGPL-3.0 license

    Package Manager: golang
  • - Module: + Vulnerable module: - gopkg.in/retry.v1 + google.golang.org/protobuf/encoding/protojson
  • Introduced through: - github.com/argoproj/argo-cd/v2@* and gopkg.in/retry.v1@v1.0.3 + github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/encoding/protojson@v1.31.0
    • @@ -1802,7 +1562,7 @@

    Detailed paths

    Introduced through: github.com/argoproj/argo-cd/v2@* - gopkg.in/retry.v1@v1.0.3 + google.golang.org/protobuf/encoding/protojson@v1.31.0 @@ -1813,17 +1573,28 @@

    Detailed paths

    -

    LGPL-3.0 license

    +

    Overview

    +

    Affected versions of this package are vulnerable to Infinite loop via the protojson.Unmarshal function. An attacker can cause a denial of service condition by unmarshaling certain forms of invalid JSON.

    +

    Note:

    +

    This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

    +

    Remediation

    +

    Upgrade google.golang.org/protobuf/encoding/protojson to version 1.33.0 or higher.

    +

    References

    +
    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    Infinite loop

    +

    Allocation of Resources Without Limits or Throttling

    @@ -1834,7 +1605,7 @@

    Infinite loop

    • - Manifest file: quay.io/argoproj/argocd:v2.8.18/argoproj/argo-cd/v2 /usr/local/bin/argocd + Manifest file: quay.io/argoproj/argocd:v2.8.18/helm/v3 /usr/local/bin/helm
    • Package Manager: golang @@ -1842,12 +1613,12 @@

      Infinite loop

    • Vulnerable module: - google.golang.org/protobuf/internal/encoding/json + golang.org/x/net/http2
    • Introduced through: - github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/internal/encoding/json@v1.31.0 + helm.sh/helm/v3@* and golang.org/x/net/http2@v0.8.0
    @@ -1860,9 +1631,9 @@

    Detailed paths

    • Introduced through: - github.com/argoproj/argo-cd/v2@* + helm.sh/helm/v3@* - google.golang.org/protobuf/internal/encoding/json@v1.31.0 + golang.org/x/net/http2@v0.8.0 @@ -1874,27 +1645,28 @@

      Detailed paths

      Overview

      -

      Affected versions of this package are vulnerable to Infinite loop via the protojson.Unmarshal function. An attacker can cause a denial of service condition by unmarshaling certain forms of invalid JSON.

      +

      golang.org/x/net/http2 is a work-in-progress HTTP/2 implementation for Go.

      +

      Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when MaxConcurrentStreams handler goroutines running. A a handler is started until one of the existing handlers exits.

      Note:

      -

      This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

      +

      This issue is related to CVE-2023-44487

      Remediation

      -

      Upgrade google.golang.org/protobuf/internal/encoding/json to version 1.33.0 or higher.

      +

      Upgrade golang.org/x/net/http2 to version 0.17.0 or higher.

      References

      -

      More about this vulnerability

      +

      More about this vulnerability

    -

    Stack-based Buffer Overflow

    +

    Authentication Bypass by Capture-replay

    @@ -1913,12 +1685,12 @@

    Stack-based Buffer Overflow

  • Vulnerable module: - google.golang.org/protobuf/encoding/protojson + golang.org/x/crypto/ssh
  • Introduced through: - github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/encoding/protojson@v1.31.0 + github.com/argoproj/argo-cd/v2@* and golang.org/x/crypto/ssh@v0.16.0
    • @@ -1933,7 +1705,7 @@

    Detailed paths

    Introduced through: github.com/argoproj/argo-cd/v2@* - google.golang.org/protobuf/encoding/protojson@v1.31.0 + golang.org/x/crypto/ssh@v0.16.0 @@ -1945,24 +1717,54 @@

    Detailed paths

    Overview

    -

    Affected versions of this package are vulnerable to Stack-based Buffer Overflow when processing input that uses pathologically deep nesting.

    +

    golang.org/x/crypto/ssh is a SSH client and server

    +

    Affected versions of this package are vulnerable to Authentication Bypass by Capture-replay during the establishment of the secure channel. An attacker can manipulate handshake sequence numbers to delete messages sent immediately after the channel is established.

    +

    Note:

    +
      +

    1. Sequence numbers are only validated once the channel is established and arbitrary messages are allowed during the handshake, allowing them to manipulate the sequence numbers.

      +
      2. +

    2. The potential consequences of the general Terrapin attack are dependent on the messages exchanged after the handshake concludes. If you are using a custom SSH service and do not resort to the authentication protocol, you should check that dropping the first few messages of a connection does not yield security risks.

      +
      3. +
    +

    Impact:

    +

    While cryptographically novel, there is no discernable impact on the integrity of SSH traffic beyond giving the attacker the ability to delete the message that enables some features related to keystroke timing obfuscation. To successfully carry out the exploitation, the connection needs to be protected using either the ChaCha20-Poly1305 or CBC with Encrypt-then-MAC encryption methods. The attacker must also be able to intercept and modify the connection's traffic.

    +

    Workaround

    +

    Temporarily disable the affected chacha20-poly1305@openssh.com encryption and *-etm@openssh.com MAC algorithms in the affected configuration, and use unaffected algorithms like AES-GCM instead.

    Remediation

    -

    Upgrade google.golang.org/protobuf/encoding/protojson to version 1.32.0 or higher.

    +

    Upgrade golang.org/x/crypto/ssh to version 0.17.0 or higher.

    References

    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    Infinite loop

    +

    MPL-2.0 license

    @@ -1979,14 +1781,14 @@

    Infinite loop

    Package Manager: golang
  • - Vulnerable module: + Module: - google.golang.org/protobuf/encoding/protojson + github.com/r3labs/diff
  • Introduced through: - github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/encoding/protojson@v1.31.0 + github.com/argoproj/argo-cd/v2@* and github.com/r3labs/diff@v1.1.0
    • @@ -2001,248 +1803,7 @@

    Detailed paths

    Introduced through: github.com/argoproj/argo-cd/v2@* - google.golang.org/protobuf/encoding/protojson@v1.31.0 - - - - - - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Infinite loop via the protojson.Unmarshal function. An attacker can cause a denial of service condition by unmarshaling certain forms of invalid JSON.

    -

    Note:

    -

    This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

    -

    Remediation

    -

    Upgrade google.golang.org/protobuf/encoding/protojson to version 1.33.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Allocation of Resources Without Limits or Throttling

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.8.18/helm/v3 /usr/local/bin/helm -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/net/http2 -
      • - -
    • Introduced through: - - helm.sh/helm/v3@* and golang.org/x/net/http2@v0.8.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - helm.sh/helm/v3@* - - golang.org/x/net/http2@v0.8.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    golang.org/x/net/http2 is a work-in-progress HTTP/2 implementation for Go.

    -

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when MaxConcurrentStreams handler goroutines running. A a handler is started until one of the existing handlers exits.

    -

    Note:

    -

    This issue is related to CVE-2023-44487

    -

    Remediation

    -

    Upgrade golang.org/x/net/http2 to version 0.17.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Authentication Bypass by Capture-replay

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.8.18/argoproj/argo-cd/v2 /usr/local/bin/argocd -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/crypto/ssh -
      • - -
    • Introduced through: - - github.com/argoproj/argo-cd/v2@* and golang.org/x/crypto/ssh@v0.16.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/argoproj/argo-cd/v2@* - - golang.org/x/crypto/ssh@v0.16.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    golang.org/x/crypto/ssh is a SSH client and server

    -

    Affected versions of this package are vulnerable to Authentication Bypass by Capture-replay during the establishment of the secure channel. An attacker can manipulate handshake sequence numbers to delete messages sent immediately after the channel is established.

    -

    Note:

    -
      -

    1. Sequence numbers are only validated once the channel is established and arbitrary messages are allowed during the handshake, allowing them to manipulate the sequence numbers.

      -
      2. -

    2. The potential consequences of the general Terrapin attack are dependent on the messages exchanged after the handshake concludes. If you are using a custom SSH service and do not resort to the authentication protocol, you should check that dropping the first few messages of a connection does not yield security risks.

      -
      3. -
    -

    Impact:

    -

    While cryptographically novel, there is no discernable impact on the integrity of SSH traffic beyond giving the attacker the ability to delete the message that enables some features related to keystroke timing obfuscation. To successfully carry out the exploitation, the connection needs to be protected using either the ChaCha20-Poly1305 or CBC with Encrypt-then-MAC encryption methods. The attacker must also be able to intercept and modify the connection's traffic.

    -

    Workaround

    -

    Temporarily disable the affected chacha20-poly1305@openssh.com encryption and *-etm@openssh.com MAC algorithms in the affected configuration, and use unaffected algorithms like AES-GCM instead.

    -

    Remediation

    -

    Upgrade golang.org/x/crypto/ssh to version 0.17.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    MPL-2.0 license

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.8.18/argoproj/argo-cd/v2 /usr/local/bin/argocd -
      • -
    • - Package Manager: golang -
      • -
    • - Module: - - github.com/r3labs/diff -
      • - -
    • Introduced through: - - github.com/argoproj/argo-cd/v2@* and github.com/r3labs/diff@v1.1.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/argoproj/argo-cd/v2@* - - github.com/r3labs/diff@v1.1.0 + github.com/r3labs/diff@v1.1.0 @@ -3027,20 +2588,620 @@

      Release of Invalid Pointer or Reference

      docker-image|quay.io/argoproj/argocd@v2.8.18 and patch@2.7.6-7build2 -
      • -
    + + + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + patch@2.7.6-7build2 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream patch package and not the patch package as distributed by Ubuntu. + See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    +

    An Invalid Pointer vulnerability exists in GNU patch 2.7 via the another_hunk function, which causes a Denial of Service.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:22.04 patch.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Double Free

    +
    + +
    + low severity +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v2.8.18/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:22.04 +
      • +
    • + Vulnerable module: + + patch +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v2.8.18 and patch@2.7.6-7build2 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + patch@2.7.6-7build2 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream patch package and not the patch package as distributed by Ubuntu. + See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    +

    A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:22.04 patch.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2023-50495

    +
    + +
    + low severity +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v2.8.18/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:22.04 +
      • +
    • + Vulnerable module: + + ncurses/libtinfo6 +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v2.8.18 and ncurses/libtinfo6@6.3-2ubuntu0.1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + bash@5.1-6ubuntu1.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + less@590-1ubuntu0.22.04.3 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + libedit/libedit2@3.1-20210910-1build1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + ncurses/libncurses6@6.3-2ubuntu0.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + ncurses/ncurses-bin@6.3-2ubuntu0.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + procps@2:3.3.17-6ubuntu2.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + util-linux@2.37.2-4ubuntu3.4 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + gnupg2/gpg@2.2.27-3ubuntu2.1 + + gnupg2/gpgconf@2.2.27-3ubuntu2.1 + + readline/libreadline8@8.1.2-1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + + pinentry/pinentry-curses@1.1.1-1build2 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + procps@2:3.3.17-6ubuntu2.1 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + + pinentry/pinentry-curses@1.1.1-1build2 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + ncurses/libncurses6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + procps@2:3.3.17-6ubuntu2.1 + + ncurses/libncurses6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + ncurses/ncurses-base@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + ncurses/ncurses-bin@6.3-2ubuntu0.1 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Ubuntu. + See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    +

    NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().

    +

    Remediation

    +

    There is no fixed version for Ubuntu:22.04 ncurses.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2023-45918

    +
    + +
    + low severity +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v2.8.18/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:22.04 +
      • +
    • + Vulnerable module: + + ncurses/libtinfo6 +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v2.8.18 and ncurses/libtinfo6@6.3-2ubuntu0.1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + bash@5.1-6ubuntu1.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + less@590-1ubuntu0.22.04.3 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + libedit/libedit2@3.1-20210910-1build1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + ncurses/libncurses6@6.3-2ubuntu0.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + ncurses/ncurses-bin@6.3-2ubuntu0.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + procps@2:3.3.17-6ubuntu2.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + util-linux@2.37.2-4ubuntu3.4 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + gnupg2/gpg@2.2.27-3ubuntu2.1 + + gnupg2/gpgconf@2.2.27-3ubuntu2.1 + + readline/libreadline8@8.1.2-1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + + pinentry/pinentry-curses@1.1.1-1build2 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + procps@2:3.3.17-6ubuntu2.1 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + + pinentry/pinentry-curses@1.1.1-1build2 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + -
      +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + ncurses/libncurses6@6.3-2ubuntu0.1 + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + procps@2:3.3.17-6ubuntu2.1 + + ncurses/libncurses6@6.3-2ubuntu0.1 + + -

      Detailed paths

      +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.18 + + ncurses/ncurses-base@6.3-2ubuntu0.1 + + -
    -

    Double Free

    +

    Resource Exhaustion

    @@ -3090,12 +3252,12 @@

    Double Free

  • Vulnerable module: - patch + libzstd/libzstd1
  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 and patch@2.7.6-7build2 + docker-image|quay.io/argoproj/argocd@v2.8.18 and libzstd/libzstd1@1.4.8+dfsg-3build1
    • @@ -3110,7 +3272,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.8.18 - patch@2.7.6-7build2 + libzstd/libzstd1@1.4.8+dfsg-3build1 @@ -3122,31 +3284,33 @@

    Detailed paths

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream patch package and not the patch package as distributed by Ubuntu. +

    Note: Versions mentioned in the description apply only to the upstream libzstd package and not the libzstd package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6.

    +

    A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 patch.

    +

    There is no fixed version for Ubuntu:22.04 libzstd.

    References

    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    CVE-2023-50495

    +

    Integer Overflow or Wraparound

    @@ -3165,12 +3329,12 @@

    CVE-2023-50495

  • Vulnerable module: - ncurses/libtinfo6 + krb5/libk5crypto3
  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 and ncurses/libtinfo6@6.3-2ubuntu0.1 + docker-image|quay.io/argoproj/argocd@v2.8.18 and krb5/libk5crypto3@1.19.2-2ubuntu0.3
    • @@ -3185,7 +3349,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.8.18 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -3194,31 +3358,19 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.8.18 - bash@5.1-6ubuntu1.1 + adduser@3.118ubuntu5 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 + shadow/passwd@1:4.8.1-2ubuntu2.2 - ncurses/libncursesw6@6.3-2ubuntu0.1 + pam/libpam-modules@1.4.0-11ubuntu2.4 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 + libnsl/libnsl2@1.3.0-2build2 - less@590-1ubuntu0.22.04.3 + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + + krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -3227,42 +3379,21 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.8.18 - libedit/libedit2@3.1-20210910-1build1 + adduser@3.118ubuntu5 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 + shadow/passwd@1:4.8.1-2ubuntu2.2 - ncurses/libncurses6@6.3-2ubuntu0.1 + pam/libpam-modules@1.4.0-11ubuntu2.4 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 + libnsl/libnsl2@1.3.0-2build2 - ncurses/ncurses-bin@6.3-2ubuntu0.1 + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - procps@2:3.3.17-6ubuntu2.1 + krb5/libkrb5-3@1.19.2-2ubuntu0.3 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -3271,9 +3402,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.8.18 - util-linux@2.37.2-4ubuntu3.4 - - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libkrb5-3@1.19.2-2ubuntu0.3 @@ -3282,28 +3411,19 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.8.18 - gnupg2/gpg@2.2.27-3ubuntu2.1 - - gnupg2/gpgconf@2.2.27-3ubuntu2.1 + adduser@3.118ubuntu5 - readline/libreadline8@8.1.2-1 + shadow/passwd@1:4.8.1-2ubuntu2.2 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 + pam/libpam-modules@1.4.0-11ubuntu2.4 - gnupg2/gnupg@2.2.27-3ubuntu2.1 + libnsl/libnsl2@1.3.0-2build2 - gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - pinentry/pinentry-curses@1.1.1-1build2 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libkrb5-3@1.19.2-2ubuntu0.3 @@ -3312,7 +3432,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.8.18 - ncurses/libncursesw6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3321,9 +3441,9 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.8.18 - procps@2:3.3.17-6ubuntu2.1 + openssh/openssh-client@1:8.9p1-3ubuntu0.7 - ncurses/libncursesw6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3332,13 +3452,11 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.8.18 - gnupg2/gnupg@2.2.27-3ubuntu2.1 - - gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + git@1:2.34.1-1ubuntu1.10 - pinentry/pinentry-curses@1.1.1-1build2 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - ncurses/libncursesw6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3347,18 +3465,13 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.8.18 - ncurses/libncurses6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 + git@1:2.34.1-1ubuntu1.10 - procps@2:3.3.17-6ubuntu2.1 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - ncurses/libncurses6@6.3-2ubuntu0.1 + libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3367,7 +3480,17 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.8.18 - ncurses/ncurses-base@6.3-2ubuntu0.1 + adduser@3.118ubuntu5 + + shadow/passwd@1:4.8.1-2ubuntu2.2 + + pam/libpam-modules@1.4.0-11ubuntu2.4 + + libnsl/libnsl2@1.3.0-2build2 + + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3376,7 +3499,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.8.18 - ncurses/ncurses-bin@6.3-2ubuntu0.1 + krb5/libkrb5support0@1.19.2-2ubuntu0.3 @@ -3388,29 +3511,30 @@

    Detailed paths

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Ubuntu. +

    Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().

    +

    An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 ncurses.

    -

    References

    -
    • -

    CVE-2023-45918

    +

    CVE-2024-26461

    @@ -3429,12 +3553,12 @@

    CVE-2023-45918

  • Vulnerable module: - ncurses/libtinfo6 + krb5/libk5crypto3
  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 and ncurses/libtinfo6@6.3-2ubuntu0.1 + docker-image|quay.io/argoproj/argocd@v2.8.18 and krb5/libk5crypto3@1.19.2-2ubuntu0.3
    • @@ -3449,7 +3573,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.8.18 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -3458,31 +3582,19 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.8.18 - bash@5.1-6ubuntu1.1 + adduser@3.118ubuntu5 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 + shadow/passwd@1:4.8.1-2ubuntu2.2 - ncurses/libncursesw6@6.3-2ubuntu0.1 + pam/libpam-modules@1.4.0-11ubuntu2.4 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 + libnsl/libnsl2@1.3.0-2build2 - less@590-1ubuntu0.22.04.3 + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + + krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -3491,42 +3603,21 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.8.18 - libedit/libedit2@3.1-20210910-1build1 + adduser@3.118ubuntu5 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 + shadow/passwd@1:4.8.1-2ubuntu2.2 - ncurses/libncurses6@6.3-2ubuntu0.1 + pam/libpam-modules@1.4.0-11ubuntu2.4 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 + libnsl/libnsl2@1.3.0-2build2 - ncurses/ncurses-bin@6.3-2ubuntu0.1 + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - procps@2:3.3.17-6ubuntu2.1 + krb5/libkrb5-3@1.19.2-2ubuntu0.3 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -3535,9 +3626,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.8.18 - util-linux@2.37.2-4ubuntu3.4 - - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libkrb5-3@1.19.2-2ubuntu0.3 @@ -3546,28 +3635,19 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.8.18 - gnupg2/gpg@2.2.27-3ubuntu2.1 - - gnupg2/gpgconf@2.2.27-3ubuntu2.1 + adduser@3.118ubuntu5 - readline/libreadline8@8.1.2-1 + shadow/passwd@1:4.8.1-2ubuntu2.2 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 + pam/libpam-modules@1.4.0-11ubuntu2.4 - gnupg2/gnupg@2.2.27-3ubuntu2.1 + libnsl/libnsl2@1.3.0-2build2 - gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - pinentry/pinentry-curses@1.1.1-1build2 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libkrb5-3@1.19.2-2ubuntu0.3 @@ -3576,7 +3656,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.8.18 - ncurses/libncursesw6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3585,9 +3665,9 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.8.18 - procps@2:3.3.17-6ubuntu2.1 + openssh/openssh-client@1:8.9p1-3ubuntu0.7 - ncurses/libncursesw6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3596,13 +3676,11 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.8.18 - gnupg2/gnupg@2.2.27-3ubuntu2.1 - - gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + git@1:2.34.1-1ubuntu1.10 - pinentry/pinentry-curses@1.1.1-1build2 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - ncurses/libncursesw6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3611,27 +3689,13 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.8.18 - ncurses/libncurses6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 + git@1:2.34.1-1ubuntu1.10 - procps@2:3.3.17-6ubuntu2.1 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - ncurses/libncurses6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.18 + libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 - ncurses/ncurses-base@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3640,78 +3704,26 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.8.18 - ncurses/ncurses-bin@6.3-2ubuntu0.1 + adduser@3.118ubuntu5 + + shadow/passwd@1:4.8.1-2ubuntu2.2 + + pam/libpam-modules@1.4.0-11ubuntu2.4 + + libnsl/libnsl2@1.3.0-2build2 + + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3
    • - - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Ubuntu. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 ncurses.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Resource Exhaustion

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.8.18/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:22.04 -
      • -
    • - Vulnerable module: - - libzstd/libzstd1 -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v2.8.18 and libzstd/libzstd1@1.4.8+dfsg-3build1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
    -

    Integer Overflow or Wraparound

    +

    CVE-2024-26458

    @@ -3952,23 +3958,20 @@

    Detailed paths

    NVD Description

    Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.

    +

    Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.

    Remediation

    There is no fixed version for Ubuntu:22.04 krb5.

    References

    -

    More about this vulnerability

    +

    More about this vulnerability

    diff --git a/docs/snyk/v2.8.18/redis_7.0.15-alpine.html b/docs/snyk/v2.8.18/redis_7.0.15-alpine.html index e7558103882c..5a9e619702ce 100644 --- a/docs/snyk/v2.8.18/redis_7.0.15-alpine.html +++ b/docs/snyk/v2.8.18/redis_7.0.15-alpine.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:25:30 am (UTC+00:00)

    +

    May 19th 2024, 12:25:25 am (UTC+00:00)

    Scanned the following paths: @@ -467,8 +467,8 @@

    Snyk test report

    -
    1 known vulnerabilities
    -
    9 vulnerable dependency paths
    +
    0 known vulnerabilities
    +
    0 vulnerable dependency paths
    19 dependencies
    @@ -476,182 +476,7 @@

    Snyk test report

    -
    -
    -

    CVE-2024-2511

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Package Manager: alpine:3.19 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|redis@7.0.15-alpine and openssl/libcrypto3@3.1.4-r5 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - openssl/libcrypto3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - .redis-rundeps@20240315.235535 - - openssl/libcrypto3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - apk-tools/apk-tools@2.14.0-r5 - - openssl/libcrypto3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - busybox/ssl_client@1.36.1-r15 - - openssl/libcrypto3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - .redis-rundeps@20240315.235535 - - openssl/libssl3@3.1.4-r5 - - openssl/libcrypto3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - openssl/libssl3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - .redis-rundeps@20240315.235535 - - openssl/libssl3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - apk-tools/apk-tools@2.14.0-r5 - - openssl/libssl3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - busybox/ssl_client@1.36.1-r15 - - openssl/libssl3@3.1.4-r5 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. - See How to fix? for Alpine:3.19 relevant fixed versions and status.

    -

    Issue summary: Some non-default TLS server configurations can cause unbounded - memory growth when processing TLSv1.3 sessions

    -

    Impact summary: An attacker may exploit certain server configurations to trigger - unbounded memory growth that would lead to a Denial of Service

    -

    This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is - being used (but not if early_data support is also configured and the default - anti-replay protection is in use). In this case, under certain conditions, the - session cache can get into an incorrect state and it will fail to flush properly - as it fills. The session cache will continue to grow in an unbounded manner. A - malicious client could deliberately create the scenario for this failure to - force a Denial of Service. It may also happen by accident in normal operation.

    -

    This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS - clients.

    -

    The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL - 1.0.2 is also not affected by this issue.

    -

    Remediation

    -

    Upgrade Alpine:3.19 openssl to version 3.1.4-r6 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    + No known vulnerabilities detected.
    diff --git a/docs/snyk/v2.9.14/argocd-iac-install.html b/docs/snyk/v2.9.14/argocd-iac-install.html index 71ba1d44dc04..924080025664 100644 --- a/docs/snyk/v2.9.14/argocd-iac-install.html +++ b/docs/snyk/v2.9.14/argocd-iac-install.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:24:34 am (UTC+00:00)

    +

    May 19th 2024, 12:24:26 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v2.9.14/argocd-iac-namespace-install.html b/docs/snyk/v2.9.14/argocd-iac-namespace-install.html index 7e387eff0000..efaa9ba6c147 100644 --- a/docs/snyk/v2.9.14/argocd-iac-namespace-install.html +++ b/docs/snyk/v2.9.14/argocd-iac-namespace-install.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:24:42 am (UTC+00:00)

    +

    May 19th 2024, 12:24:37 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v2.9.14/argocd-test.html b/docs/snyk/v2.9.14/argocd-test.html index ac27e76eb2bb..1bc460a6a41f 100644 --- a/docs/snyk/v2.9.14/argocd-test.html +++ b/docs/snyk/v2.9.14/argocd-test.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:22:50 am (UTC+00:00)

    +

    May 19th 2024, 12:22:37 am (UTC+00:00)

    Scanned the following paths: diff --git a/docs/snyk/v2.9.14/ghcr.io_dexidp_dex_v2.37.0.html b/docs/snyk/v2.9.14/ghcr.io_dexidp_dex_v2.37.0.html index 1cfb5dfc53be..bfd1c07ea5b8 100644 --- a/docs/snyk/v2.9.14/ghcr.io_dexidp_dex_v2.37.0.html +++ b/docs/snyk/v2.9.14/ghcr.io_dexidp_dex_v2.37.0.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:22:55 am (UTC+00:00)

    +

    May 19th 2024, 12:22:45 am (UTC+00:00)

    Scanned the following paths: diff --git a/docs/snyk/v2.9.14/haproxy_2.6.14-alpine.html b/docs/snyk/v2.9.14/haproxy_2.6.14-alpine.html index afe6b309d4cd..f068ccbedb25 100644 --- a/docs/snyk/v2.9.14/haproxy_2.6.14-alpine.html +++ b/docs/snyk/v2.9.14/haproxy_2.6.14-alpine.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:22:59 am (UTC+00:00)

    +

    May 19th 2024, 12:22:49 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v2.9.14/quay.io_argoproj_argocd_v2.9.14.html b/docs/snyk/v2.9.14/quay.io_argoproj_argocd_v2.9.14.html index 926cbb1519c5..506e20fb2785 100644 --- a/docs/snyk/v2.9.14/quay.io_argoproj_argocd_v2.9.14.html +++ b/docs/snyk/v2.9.14/quay.io_argoproj_argocd_v2.9.14.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:23:16 am (UTC+00:00)

    +

    May 19th 2024, 12:23:08 am (UTC+00:00)

    Scanned the following paths: @@ -932,7 +932,7 @@

    References

    -

    CVE-2024-26461

    +

    CVE-2024-26462

    @@ -1135,24 +1135,25 @@

    Detailed paths

    NVD Description

    Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.

    +

    Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.

    Remediation

    There is no fixed version for Ubuntu:22.04 krb5.

    References

    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    CVE-2024-26462

    +

    LGPL-3.0 license

    @@ -1163,20 +1164,20 @@

    CVE-2024-26462

    • - Manifest file: quay.io/argoproj/argocd:v2.9.14/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.9.14/argoproj/argo-cd/v2 /usr/local/bin/argocd
    • - Package Manager: ubuntu:22.04 + Package Manager: golang
    • - Vulnerable module: + Module: - krb5/libk5crypto3 + gopkg.in/retry.v1
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 and krb5/libk5crypto3@1.19.2-2ubuntu0.3 + github.com/argoproj/argo-cd/v2@* and gopkg.in/retry.v1@v1.0.3
    @@ -1189,159 +1190,69 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 + github.com/argoproj/argo-cd/v2@* - krb5/libk5crypto3@1.19.2-2ubuntu0.3 + gopkg.in/retry.v1@v1.0.3
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libk5crypto3@1.19.2-2ubuntu0.3 - - +
    - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - krb5/libk5crypto3@1.19.2-2ubuntu0.3 - - +
    • - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - +
    + +

    LGPL-3.0 license

    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - +
    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - +
    +

    More about this vulnerability

    +
    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 - - openssh/openssh-client@1:8.9p1-3ubuntu0.7 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - +
    • +
    +

    Infinite loop

    +
    - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 - - git@1:2.34.1-1ubuntu1.10 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - +
    + medium severity +
    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 - - git@1:2.34.1-1ubuntu1.10 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - - libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - +
    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - +
      +
    • + Manifest file: quay.io/argoproj/argocd:v2.9.14/argoproj/argo-cd/v2 /usr/local/bin/argocd +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: -
      • + google.golang.org/protobuf/internal/encoding/json + + +
    • Introduced through: + + github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/internal/encoding/json@v1.31.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 + github.com/argoproj/argo-cd/v2@* - krb5/libkrb5support0@1.19.2-2ubuntu0.3 + google.golang.org/protobuf/internal/encoding/json@v1.31.0 @@ -1352,27 +1263,28 @@

      Detailed paths

      -

      NVD Description

      -

      Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

      -

      Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.

      +

      Overview

      +

      Affected versions of this package are vulnerable to Infinite loop via the protojson.Unmarshal function. An attacker can cause a denial of service condition by unmarshaling certain forms of invalid JSON.

      +

      Note:

      +

      This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

      Remediation

      -

      There is no fixed version for Ubuntu:22.04 krb5.

      +

      Upgrade google.golang.org/protobuf/internal/encoding/json to version 1.33.0 or higher.

      References

      -

      More about this vulnerability

      +

      More about this vulnerability

    • -

    CVE-2024-26458

    +

    Stack-based Buffer Overflow

    @@ -1383,20 +1295,20 @@

    CVE-2024-26458

    • - Manifest file: quay.io/argoproj/argocd:v2.9.14/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.9.14/argoproj/argo-cd/v2 /usr/local/bin/argocd
    • - Package Manager: ubuntu:22.04 + Package Manager: golang
    • Vulnerable module: - krb5/libk5crypto3 + google.golang.org/protobuf/encoding/protojson
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 and krb5/libk5crypto3@1.19.2-2ubuntu0.3 + github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/encoding/protojson@v1.31.0
    @@ -1409,190 +1321,38 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 + github.com/argoproj/argo-cd/v2@* - krb5/libk5crypto3@1.19.2-2ubuntu0.3 + google.golang.org/protobuf/encoding/protojson@v1.31.0
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libk5crypto3@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - krb5/libk5crypto3@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 - - openssh/openssh-client@1:8.9p1-3ubuntu0.7 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 - - git@1:2.34.1-1ubuntu1.10 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 - - git@1:2.34.1-1ubuntu1.10 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - - libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 - - krb5/libkrb5support0@1.19.2-2ubuntu0.3 - - - -
      • -
    +
    -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.

    +

    Overview

    +

    Affected versions of this package are vulnerable to Stack-based Buffer Overflow when processing input that uses pathologically deep nesting.

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 krb5.

    +

    Upgrade google.golang.org/protobuf/encoding/protojson to version 1.32.0 or higher.

    References

    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    LGPL-3.0 license

    +

    Infinite loop

    @@ -1609,14 +1369,14 @@

    LGPL-3.0 license

    Package Manager: golang
  • - Module: + Vulnerable module: - gopkg.in/retry.v1 + google.golang.org/protobuf/encoding/protojson
  • Introduced through: - github.com/argoproj/argo-cd/v2@* and gopkg.in/retry.v1@v1.0.3 + github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/encoding/protojson@v1.31.0
    • @@ -1631,7 +1391,7 @@

    Detailed paths

    Introduced through: github.com/argoproj/argo-cd/v2@* - gopkg.in/retry.v1@v1.0.3 + google.golang.org/protobuf/encoding/protojson@v1.31.0 @@ -1642,17 +1402,28 @@

    Detailed paths

    -

    LGPL-3.0 license

    +

    Overview

    +

    Affected versions of this package are vulnerable to Infinite loop via the protojson.Unmarshal function. An attacker can cause a denial of service condition by unmarshaling certain forms of invalid JSON.

    +

    Note:

    +

    This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

    +

    Remediation

    +

    Upgrade google.golang.org/protobuf/encoding/protojson to version 1.33.0 or higher.

    +

    References

    +
    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    Infinite loop

    +

    Authentication Bypass by Capture-replay

    @@ -1671,12 +1442,12 @@

    Infinite loop

  • Vulnerable module: - google.golang.org/protobuf/internal/encoding/json + golang.org/x/crypto/ssh
  • Introduced through: - github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/internal/encoding/json@v1.31.0 + github.com/argoproj/argo-cd/v2@* and golang.org/x/crypto/ssh@v0.16.0
    • @@ -1691,7 +1462,7 @@

    Detailed paths

    Introduced through: github.com/argoproj/argo-cd/v2@* - google.golang.org/protobuf/internal/encoding/json@v1.31.0 + golang.org/x/crypto/ssh@v0.16.0 @@ -1703,27 +1474,54 @@

    Detailed paths

    Overview

    -

    Affected versions of this package are vulnerable to Infinite loop via the protojson.Unmarshal function. An attacker can cause a denial of service condition by unmarshaling certain forms of invalid JSON.

    +

    golang.org/x/crypto/ssh is a SSH client and server

    +

    Affected versions of this package are vulnerable to Authentication Bypass by Capture-replay during the establishment of the secure channel. An attacker can manipulate handshake sequence numbers to delete messages sent immediately after the channel is established.

    Note:

    -

    This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

    +
      +

    1. Sequence numbers are only validated once the channel is established and arbitrary messages are allowed during the handshake, allowing them to manipulate the sequence numbers.

      +
      2. +

    2. The potential consequences of the general Terrapin attack are dependent on the messages exchanged after the handshake concludes. If you are using a custom SSH service and do not resort to the authentication protocol, you should check that dropping the first few messages of a connection does not yield security risks.

      +
      3. +
    +

    Impact:

    +

    While cryptographically novel, there is no discernable impact on the integrity of SSH traffic beyond giving the attacker the ability to delete the message that enables some features related to keystroke timing obfuscation. To successfully carry out the exploitation, the connection needs to be protected using either the ChaCha20-Poly1305 or CBC with Encrypt-then-MAC encryption methods. The attacker must also be able to intercept and modify the connection's traffic.

    +

    Workaround

    +

    Temporarily disable the affected chacha20-poly1305@openssh.com encryption and *-etm@openssh.com MAC algorithms in the affected configuration, and use unaffected algorithms like AES-GCM instead.

    Remediation

    -

    Upgrade google.golang.org/protobuf/internal/encoding/json to version 1.33.0 or higher.

    +

    Upgrade golang.org/x/crypto/ssh to version 0.17.0 or higher.

    References

    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    Stack-based Buffer Overflow

    +

    MPL-2.0 license

    @@ -1740,14 +1538,14 @@

    Stack-based Buffer Overflow

    Package Manager: golang
  • - Vulnerable module: + Module: - google.golang.org/protobuf/encoding/protojson + github.com/r3labs/diff
  • Introduced through: - github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/encoding/protojson@v1.31.0 + github.com/argoproj/argo-cd/v2@* and github.com/r3labs/diff@v1.1.0
    • @@ -1762,7 +1560,7 @@

    Detailed paths

    Introduced through: github.com/argoproj/argo-cd/v2@* - google.golang.org/protobuf/encoding/protojson@v1.31.0 + github.com/r3labs/diff@v1.1.0 @@ -1773,25 +1571,17 @@

    Detailed paths

    -

    Overview

    -

    Affected versions of this package are vulnerable to Stack-based Buffer Overflow when processing input that uses pathologically deep nesting.

    -

    Remediation

    -

    Upgrade google.golang.org/protobuf/encoding/protojson to version 1.32.0 or higher.

    -

    References

    - +

    MPL-2.0 license

    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    Infinite loop

    +

    MPL-2.0 license

    @@ -1808,14 +1598,14 @@

    Infinite loop

    Package Manager: golang
  • - Vulnerable module: + Module: - google.golang.org/protobuf/encoding/protojson + github.com/hashicorp/go-version
  • Introduced through: - github.com/argoproj/argo-cd/v2@* and google.golang.org/protobuf/encoding/protojson@v1.31.0 + github.com/argoproj/argo-cd/v2@* and github.com/hashicorp/go-version@v1.2.1
    • @@ -1830,236 +1620,7 @@

    Detailed paths

    Introduced through: github.com/argoproj/argo-cd/v2@* - google.golang.org/protobuf/encoding/protojson@v1.31.0 - - - - - - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Infinite loop via the protojson.Unmarshal function. An attacker can cause a denial of service condition by unmarshaling certain forms of invalid JSON.

    -

    Note:

    -

    This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

    -

    Remediation

    -

    Upgrade google.golang.org/protobuf/encoding/protojson to version 1.33.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Authentication Bypass by Capture-replay

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.9.14/argoproj/argo-cd/v2 /usr/local/bin/argocd -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/crypto/ssh -
      • - -
    • Introduced through: - - github.com/argoproj/argo-cd/v2@* and golang.org/x/crypto/ssh@v0.16.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/argoproj/argo-cd/v2@* - - golang.org/x/crypto/ssh@v0.16.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    golang.org/x/crypto/ssh is a SSH client and server

    -

    Affected versions of this package are vulnerable to Authentication Bypass by Capture-replay during the establishment of the secure channel. An attacker can manipulate handshake sequence numbers to delete messages sent immediately after the channel is established.

    -

    Note:

    -
      -

    1. Sequence numbers are only validated once the channel is established and arbitrary messages are allowed during the handshake, allowing them to manipulate the sequence numbers.

      -
      2. -

    2. The potential consequences of the general Terrapin attack are dependent on the messages exchanged after the handshake concludes. If you are using a custom SSH service and do not resort to the authentication protocol, you should check that dropping the first few messages of a connection does not yield security risks.

      -
      3. -
    -

    Impact:

    -

    While cryptographically novel, there is no discernable impact on the integrity of SSH traffic beyond giving the attacker the ability to delete the message that enables some features related to keystroke timing obfuscation. To successfully carry out the exploitation, the connection needs to be protected using either the ChaCha20-Poly1305 or CBC with Encrypt-then-MAC encryption methods. The attacker must also be able to intercept and modify the connection's traffic.

    -

    Workaround

    -

    Temporarily disable the affected chacha20-poly1305@openssh.com encryption and *-etm@openssh.com MAC algorithms in the affected configuration, and use unaffected algorithms like AES-GCM instead.

    -

    Remediation

    -

    Upgrade golang.org/x/crypto/ssh to version 0.17.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    MPL-2.0 license

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.9.14/argoproj/argo-cd/v2 /usr/local/bin/argocd -
      • -
    • - Package Manager: golang -
      • -
    • - Module: - - github.com/r3labs/diff -
      • - -
    • Introduced through: - - github.com/argoproj/argo-cd/v2@* and github.com/r3labs/diff@v1.1.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/argoproj/argo-cd/v2@* - - github.com/r3labs/diff@v1.1.0 - - - -
      • -
    - -
    - -
    - -

    MPL-2.0 license

    - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    MPL-2.0 license

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.9.14/argoproj/argo-cd/v2 /usr/local/bin/argocd -
      • -
    • - Package Manager: golang -
      • -
    • - Module: - - github.com/hashicorp/go-version -
      • - -
    • Introduced through: - - github.com/argoproj/argo-cd/v2@* and github.com/hashicorp/go-version@v1.2.1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/argoproj/argo-cd/v2@* - - github.com/hashicorp/go-version@v1.2.1 + github.com/hashicorp/go-version@v1.2.1 @@ -2784,20 +2345,620 @@

      Release of Invalid Pointer or Reference

      docker-image|quay.io/argoproj/argocd@v2.9.14 and patch@2.7.6-7build2 -
      • -
    + + + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + patch@2.7.6-7build2 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream patch package and not the patch package as distributed by Ubuntu. + See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    +

    An Invalid Pointer vulnerability exists in GNU patch 2.7 via the another_hunk function, which causes a Denial of Service.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:22.04 patch.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Double Free

    +
    + +
    + low severity +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v2.9.14/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:22.04 +
      • +
    • + Vulnerable module: + + patch +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v2.9.14 and patch@2.7.6-7build2 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + patch@2.7.6-7build2 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream patch package and not the patch package as distributed by Ubuntu. + See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    +

    A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:22.04 patch.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2023-50495

    +
    + +
    + low severity +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v2.9.14/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:22.04 +
      • +
    • + Vulnerable module: + + ncurses/libtinfo6 +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v2.9.14 and ncurses/libtinfo6@6.3-2ubuntu0.1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + bash@5.1-6ubuntu1.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + less@590-1ubuntu0.22.04.3 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + libedit/libedit2@3.1-20210910-1build1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + ncurses/libncurses6@6.3-2ubuntu0.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + ncurses/ncurses-bin@6.3-2ubuntu0.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + procps@2:3.3.17-6ubuntu2.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + util-linux@2.37.2-4ubuntu3.4 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + gnupg2/gpg@2.2.27-3ubuntu2.1 + + gnupg2/gpgconf@2.2.27-3ubuntu2.1 + + readline/libreadline8@8.1.2-1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + + pinentry/pinentry-curses@1.1.1-1build2 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + procps@2:3.3.17-6ubuntu2.1 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + + pinentry/pinentry-curses@1.1.1-1build2 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + ncurses/libncurses6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + procps@2:3.3.17-6ubuntu2.1 + + ncurses/libncurses6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + ncurses/ncurses-base@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + ncurses/ncurses-bin@6.3-2ubuntu0.1 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Ubuntu. + See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    +

    NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().

    +

    Remediation

    +

    There is no fixed version for Ubuntu:22.04 ncurses.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2023-45918

    +
    + +
    + low severity +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v2.9.14/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:22.04 +
      • +
    • + Vulnerable module: + + ncurses/libtinfo6 +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v2.9.14 and ncurses/libtinfo6@6.3-2ubuntu0.1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + bash@5.1-6ubuntu1.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + less@590-1ubuntu0.22.04.3 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + libedit/libedit2@3.1-20210910-1build1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + ncurses/libncurses6@6.3-2ubuntu0.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + ncurses/ncurses-bin@6.3-2ubuntu0.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + procps@2:3.3.17-6ubuntu2.1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + util-linux@2.37.2-4ubuntu3.4 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + gnupg2/gpg@2.2.27-3ubuntu2.1 + + gnupg2/gpgconf@2.2.27-3ubuntu2.1 + + readline/libreadline8@8.1.2-1 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + + pinentry/pinentry-curses@1.1.1-1build2 + + ncurses/libtinfo6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + procps@2:3.3.17-6ubuntu2.1 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + gnupg2/gnupg@2.2.27-3ubuntu2.1 + + gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + + pinentry/pinentry-curses@1.1.1-1build2 + + ncurses/libncursesw6@6.3-2ubuntu0.1 + + -
      +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + ncurses/libncurses6@6.3-2ubuntu0.1 + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + procps@2:3.3.17-6ubuntu2.1 + + ncurses/libncurses6@6.3-2ubuntu0.1 + + -

      Detailed paths

      +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.9.14 + + ncurses/ncurses-base@6.3-2ubuntu0.1 + + -
    -

    Double Free

    +

    Resource Exhaustion

    @@ -2847,12 +3009,12 @@

    Double Free

  • Vulnerable module: - patch + libzstd/libzstd1
  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 and patch@2.7.6-7build2 + docker-image|quay.io/argoproj/argocd@v2.9.14 and libzstd/libzstd1@1.4.8+dfsg-3build1
    • @@ -2867,7 +3029,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.9.14 - patch@2.7.6-7build2 + libzstd/libzstd1@1.4.8+dfsg-3build1 @@ -2879,31 +3041,33 @@

    Detailed paths

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream patch package and not the patch package as distributed by Ubuntu. +

    Note: Versions mentioned in the description apply only to the upstream libzstd package and not the libzstd package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6.

    +

    A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 patch.

    +

    There is no fixed version for Ubuntu:22.04 libzstd.

    References

    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    CVE-2023-50495

    +

    Integer Overflow or Wraparound

    @@ -2922,12 +3086,12 @@

    CVE-2023-50495

  • Vulnerable module: - ncurses/libtinfo6 + krb5/libk5crypto3
  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 and ncurses/libtinfo6@6.3-2ubuntu0.1 + docker-image|quay.io/argoproj/argocd@v2.9.14 and krb5/libk5crypto3@1.19.2-2ubuntu0.3
    • @@ -2942,7 +3106,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.9.14 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -2951,31 +3115,19 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.9.14 - bash@5.1-6ubuntu1.1 + adduser@3.118ubuntu5 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 + shadow/passwd@1:4.8.1-2ubuntu2.2 - ncurses/libncursesw6@6.3-2ubuntu0.1 + pam/libpam-modules@1.4.0-11ubuntu2.4 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 + libnsl/libnsl2@1.3.0-2build2 - less@590-1ubuntu0.22.04.3 + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + + krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -2984,42 +3136,21 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.9.14 - libedit/libedit2@3.1-20210910-1build1 + adduser@3.118ubuntu5 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 + shadow/passwd@1:4.8.1-2ubuntu2.2 - ncurses/libncurses6@6.3-2ubuntu0.1 + pam/libpam-modules@1.4.0-11ubuntu2.4 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 + libnsl/libnsl2@1.3.0-2build2 - ncurses/ncurses-bin@6.3-2ubuntu0.1 + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - procps@2:3.3.17-6ubuntu2.1 + krb5/libkrb5-3@1.19.2-2ubuntu0.3 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -3028,9 +3159,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.9.14 - util-linux@2.37.2-4ubuntu3.4 - - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libkrb5-3@1.19.2-2ubuntu0.3 @@ -3039,28 +3168,19 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.9.14 - gnupg2/gpg@2.2.27-3ubuntu2.1 - - gnupg2/gpgconf@2.2.27-3ubuntu2.1 + adduser@3.118ubuntu5 - readline/libreadline8@8.1.2-1 + shadow/passwd@1:4.8.1-2ubuntu2.2 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 + pam/libpam-modules@1.4.0-11ubuntu2.4 - gnupg2/gnupg@2.2.27-3ubuntu2.1 + libnsl/libnsl2@1.3.0-2build2 - gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - pinentry/pinentry-curses@1.1.1-1build2 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libkrb5-3@1.19.2-2ubuntu0.3 @@ -3069,7 +3189,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.9.14 - ncurses/libncursesw6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3078,9 +3198,9 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.9.14 - procps@2:3.3.17-6ubuntu2.1 + openssh/openssh-client@1:8.9p1-3ubuntu0.7 - ncurses/libncursesw6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3089,13 +3209,11 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.9.14 - gnupg2/gnupg@2.2.27-3ubuntu2.1 - - gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + git@1:2.34.1-1ubuntu1.10 - pinentry/pinentry-curses@1.1.1-1build2 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - ncurses/libncursesw6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3104,18 +3222,13 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.9.14 - ncurses/libncurses6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 + git@1:2.34.1-1ubuntu1.10 - procps@2:3.3.17-6ubuntu2.1 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - ncurses/libncurses6@6.3-2ubuntu0.1 + libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3124,7 +3237,17 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.9.14 - ncurses/ncurses-base@6.3-2ubuntu0.1 + adduser@3.118ubuntu5 + + shadow/passwd@1:4.8.1-2ubuntu2.2 + + pam/libpam-modules@1.4.0-11ubuntu2.4 + + libnsl/libnsl2@1.3.0-2build2 + + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3133,7 +3256,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.9.14 - ncurses/ncurses-bin@6.3-2ubuntu0.1 + krb5/libkrb5support0@1.19.2-2ubuntu0.3 @@ -3145,29 +3268,30 @@

    Detailed paths

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Ubuntu. +

    Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().

    +

    An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 ncurses.

    -

    References

    -
    • -

    CVE-2023-45918

    +

    CVE-2024-26461

    @@ -3186,12 +3310,12 @@

    CVE-2023-45918

  • Vulnerable module: - ncurses/libtinfo6 + krb5/libk5crypto3
  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 and ncurses/libtinfo6@6.3-2ubuntu0.1 + docker-image|quay.io/argoproj/argocd@v2.9.14 and krb5/libk5crypto3@1.19.2-2ubuntu0.3
    • @@ -3206,7 +3330,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.9.14 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -3215,31 +3339,19 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.9.14 - bash@5.1-6ubuntu1.1 + adduser@3.118ubuntu5 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 + shadow/passwd@1:4.8.1-2ubuntu2.2 - ncurses/libncursesw6@6.3-2ubuntu0.1 + pam/libpam-modules@1.4.0-11ubuntu2.4 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 + libnsl/libnsl2@1.3.0-2build2 - less@590-1ubuntu0.22.04.3 + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + + krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -3248,42 +3360,21 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.9.14 - libedit/libedit2@3.1-20210910-1build1 + adduser@3.118ubuntu5 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 + shadow/passwd@1:4.8.1-2ubuntu2.2 - ncurses/libncurses6@6.3-2ubuntu0.1 + pam/libpam-modules@1.4.0-11ubuntu2.4 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 + libnsl/libnsl2@1.3.0-2build2 - ncurses/ncurses-bin@6.3-2ubuntu0.1 + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - procps@2:3.3.17-6ubuntu2.1 + krb5/libkrb5-3@1.19.2-2ubuntu0.3 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libk5crypto3@1.19.2-2ubuntu0.3 @@ -3292,9 +3383,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.9.14 - util-linux@2.37.2-4ubuntu3.4 - - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libkrb5-3@1.19.2-2ubuntu0.3 @@ -3303,28 +3392,19 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.9.14 - gnupg2/gpg@2.2.27-3ubuntu2.1 - - gnupg2/gpgconf@2.2.27-3ubuntu2.1 + adduser@3.118ubuntu5 - readline/libreadline8@8.1.2-1 + shadow/passwd@1:4.8.1-2ubuntu2.2 - ncurses/libtinfo6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 + pam/libpam-modules@1.4.0-11ubuntu2.4 - gnupg2/gnupg@2.2.27-3ubuntu2.1 + libnsl/libnsl2@1.3.0-2build2 - gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - pinentry/pinentry-curses@1.1.1-1build2 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - ncurses/libtinfo6@6.3-2ubuntu0.1 + krb5/libkrb5-3@1.19.2-2ubuntu0.3 @@ -3333,7 +3413,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.9.14 - ncurses/libncursesw6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3342,9 +3422,9 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.9.14 - procps@2:3.3.17-6ubuntu2.1 + openssh/openssh-client@1:8.9p1-3ubuntu0.7 - ncurses/libncursesw6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3353,13 +3433,11 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.9.14 - gnupg2/gnupg@2.2.27-3ubuntu2.1 - - gnupg2/gpg-agent@2.2.27-3ubuntu2.1 + git@1:2.34.1-1ubuntu1.10 - pinentry/pinentry-curses@1.1.1-1build2 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - ncurses/libncursesw6@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3368,27 +3446,13 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.9.14 - ncurses/libncurses6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 + git@1:2.34.1-1ubuntu1.10 - procps@2:3.3.17-6ubuntu2.1 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - ncurses/libncurses6@6.3-2ubuntu0.1 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.9.14 + libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 - ncurses/ncurses-base@6.3-2ubuntu0.1 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 @@ -3397,78 +3461,26 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@v2.9.14 - ncurses/ncurses-bin@6.3-2ubuntu0.1 + adduser@3.118ubuntu5 + + shadow/passwd@1:4.8.1-2ubuntu2.2 + + pam/libpam-modules@1.4.0-11ubuntu2.4 + + libnsl/libnsl2@1.3.0-2build2 + + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3
    • - - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Ubuntu. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 ncurses.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Resource Exhaustion

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.9.14/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:22.04 -
      • -
    • - Vulnerable module: - - libzstd/libzstd1 -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v2.9.14 and libzstd/libzstd1@1.4.8+dfsg-3build1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
    -

    Integer Overflow or Wraparound

    +

    CVE-2024-26458

    @@ -3709,23 +3715,20 @@

    Detailed paths

    NVD Description

    Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.

    +

    Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.

    Remediation

    There is no fixed version for Ubuntu:22.04 krb5.

    References

    -

    More about this vulnerability

    +

    More about this vulnerability

    diff --git a/docs/snyk/v2.9.14/redis_7.0.15-alpine.html b/docs/snyk/v2.9.14/redis_7.0.15-alpine.html index 3014ba8d2480..ed7cecdccf07 100644 --- a/docs/snyk/v2.9.14/redis_7.0.15-alpine.html +++ b/docs/snyk/v2.9.14/redis_7.0.15-alpine.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -456,7 +456,7 @@

    Snyk test report

    -

    May 12th 2024, 12:23:20 am (UTC+00:00)

    +

    May 19th 2024, 12:23:12 am (UTC+00:00)

    Scanned the following paths: @@ -467,8 +467,8 @@

    Snyk test report

    -
    1 known vulnerabilities
    -
    9 vulnerable dependency paths
    +
    0 known vulnerabilities
    +
    0 vulnerable dependency paths
    19 dependencies
    @@ -476,182 +476,7 @@

    Snyk test report

    -
    -
    -

    CVE-2024-2511

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Package Manager: alpine:3.19 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|redis@7.0.15-alpine and openssl/libcrypto3@3.1.4-r5 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - openssl/libcrypto3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - .redis-rundeps@20240315.235535 - - openssl/libcrypto3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - apk-tools/apk-tools@2.14.0-r5 - - openssl/libcrypto3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - busybox/ssl_client@1.36.1-r15 - - openssl/libcrypto3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - .redis-rundeps@20240315.235535 - - openssl/libssl3@3.1.4-r5 - - openssl/libcrypto3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - openssl/libssl3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - .redis-rundeps@20240315.235535 - - openssl/libssl3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - apk-tools/apk-tools@2.14.0-r5 - - openssl/libssl3@3.1.4-r5 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.0.15-alpine - - busybox/ssl_client@1.36.1-r15 - - openssl/libssl3@3.1.4-r5 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. - See How to fix? for Alpine:3.19 relevant fixed versions and status.

    -

    Issue summary: Some non-default TLS server configurations can cause unbounded - memory growth when processing TLSv1.3 sessions

    -

    Impact summary: An attacker may exploit certain server configurations to trigger - unbounded memory growth that would lead to a Denial of Service

    -

    This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is - being used (but not if early_data support is also configured and the default - anti-replay protection is in use). In this case, under certain conditions, the - session cache can get into an incorrect state and it will fail to flush properly - as it fills. The session cache will continue to grow in an unbounded manner. A - malicious client could deliberately create the scenario for this failure to - force a Denial of Service. It may also happen by accident in normal operation.

    -

    This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS - clients.

    -

    The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL - 1.0.2 is also not affected by this issue.

    -

    Remediation

    -

    Upgrade Alpine:3.19 openssl to version 3.1.4-r6 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    + No known vulnerabilities detected.
    From 22993deb861bfc67e5a43790139bf3e72ec0abea Mon Sep 17 00:00:00 2001 From: david-wu-octopus <155603967+david-wu-octopus@users.noreply.github.com> Date: Mon, 20 May 2024 11:29:52 +1000 Subject: [PATCH 3/7] fix(ui): Fix excessive padding on system level extension pages (issue #17929) (#18207) * Remove CSS class `.cd-layout--extension` Signed-off-by: David Wu <155603967+david-wu-octopus@users.noreply.github.com> * Remove all usages of CSS class `.cd-layout--extension` Signed-off-by: David Wu <155603967+david-wu-octopus@users.noreply.github.com> * Remove unused prop `isExtension` from `` Signed-off-by: David Wu <155603967+david-wu-octopus@users.noreply.github.com> * Remove unused property `extension` from type `Routes` Signed-off-by: David Wu <155603967+david-wu-octopus@users.noreply.github.com> * Fix linting error Signed-off-by: David Wu <155603967+david-wu-octopus@users.noreply.github.com> --------- Signed-off-by: David Wu <155603967+david-wu-octopus@users.noreply.github.com> --- ui/src/app/app.tsx | 11 +++-------- ui/src/app/shared/components/layout/layout.scss | 10 ---------- ui/src/app/shared/components/layout/layout.tsx | 3 +-- 3 files changed, 4 insertions(+), 20 deletions(-) diff --git a/ui/src/app/app.tsx b/ui/src/app/app.tsx index 67ef504c8a64..fb52e54e03dd 100644 --- a/ui/src/app/app.tsx +++ b/ui/src/app/app.tsx @@ -26,7 +26,7 @@ const base = bases.length > 0 ? bases[0].getAttribute('href') || '/' : '/'; export const history = createBrowserHistory({basename: base}); requests.setBaseHRef(base); -type Routes = {[path: string]: {component: React.ComponentType>; noLayout?: boolean; extension?: boolean}}; +type Routes = {[path: string]: {component: React.ComponentType>; noLayout?: boolean}}; const routes: Routes = { '/login': {component: login.component as any, noLayout: true}, @@ -182,8 +182,7 @@ export class App extends React.Component< ); extendedRoutes[extension.path] = { - component: component as React.ComponentType>, - extension: true + component: component as React.ComponentType> }; } @@ -237,11 +236,7 @@ export class App extends React.Component< ) : ( services.viewPreferences.getPreferences()}> {pref => ( - this.setState({showVersionPanel: true})} - navItems={this.navItems} - pref={pref} - isExtension={route.extension}> + this.setState({showVersionPanel: true})} navItems={this.navItems} pref={pref}> diff --git a/ui/src/app/shared/components/layout/layout.scss b/ui/src/app/shared/components/layout/layout.scss index ad01b89e65bf..5362d894ee47 100644 --- a/ui/src/app/shared/components/layout/layout.scss +++ b/ui/src/app/shared/components/layout/layout.scss @@ -40,14 +40,4 @@ &__content { width: 100%; } - - &--extension { - .cd-layout__content--sb-expanded { - padding-left: $sidebar-width; - } - - .cd-layout__content--sb-collapsed { - padding-left: $collapsed-sidebar-width; - } - } } diff --git a/ui/src/app/shared/components/layout/layout.tsx b/ui/src/app/shared/components/layout/layout.tsx index 096fdde68e99..e08297cb4e9e 100644 --- a/ui/src/app/shared/components/layout/layout.tsx +++ b/ui/src/app/shared/components/layout/layout.tsx @@ -9,7 +9,6 @@ export interface LayoutProps { onVersionClick?: () => void; children?: React.ReactNode; pref: ViewPreferences; - isExtension?: boolean; } const getBGColor = (theme: string): string => (theme === 'light' ? '#dee6eb' : '#100f0f'); @@ -23,7 +22,7 @@ export const Layout = (props: LayoutProps) => { return (
    -
    +
    {props.children} From 257b242efde53261128c207d3cf957578f5ea7b2 Mon Sep 17 00:00:00 2001 From: condaatje Date: Mon, 20 May 2024 03:53:20 -0400 Subject: [PATCH 4/7] add apiVersion so yaml applies properly in-cluster (#18282) Signed-off-by: condaatje --- docs/operator-manual/applicationset/Generators-Cluster.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/operator-manual/applicationset/Generators-Cluster.md b/docs/operator-manual/applicationset/Generators-Cluster.md index 3cdc5a3dade6..de769b94deed 100644 --- a/docs/operator-manual/applicationset/Generators-Cluster.md +++ b/docs/operator-manual/applicationset/Generators-Cluster.md @@ -64,6 +64,7 @@ In this example, the cluster secret's `name` and `server` fields are used to pop A label selector may be used to narrow the scope of targeted clusters to only those matching a specific label: ```yaml +apiVersion: argoproj.io/v1alpha1 kind: ApplicationSet metadata: name: guestbook @@ -88,6 +89,7 @@ spec: This would match an Argo CD cluster secret containing: ```yaml +apiVersion: v1 kind: Secret data: # (... fields as above ...) From 4d61974d5834588a00abc173e41551ea7090fc1c Mon Sep 17 00:00:00 2001 From: happyso Date: Mon, 20 May 2024 17:18:19 +0900 Subject: [PATCH 5/7] fix(ui): Add title for full content without clicking (issue #17600) (#18243) * fix: Add title for full content without clicking Signed-off-by: sunyeongchoi * fix: apply ui lint Signed-off-by: sunyeongchoi * fix: apply argo-ui Tooltip and define local variable Signed-off-by: sunyeongchoi --------- Signed-off-by: sunyeongchoi --- .../application-resource-list.tsx | 168 ++++++++++-------- 1 file changed, 90 insertions(+), 78 deletions(-) diff --git a/ui/src/app/applications/components/application-details/application-resource-list.tsx b/ui/src/app/applications/components/application-details/application-resource-list.tsx index 6fc06abe9a15..2230e31bacea 100644 --- a/ui/src/app/applications/components/application-details/application-resource-list.tsx +++ b/ui/src/app/applications/components/application-details/application-resource-list.tsx @@ -1,4 +1,4 @@ -import {DropDown} from 'argo-ui'; +import {DropDown, Tooltip} from 'argo-ui'; import * as React from 'react'; import * as classNames from 'classnames'; import * as models from '../../../shared/models'; @@ -70,89 +70,101 @@ export const ApplicationResourceList = (props: ApplicationResourceListProps) =>
    {props.resources .sort((first, second) => -createdOrNodeKey(first).localeCompare(createdOrNodeKey(second))) - .map(res => ( -
    props.onNodeClick && props.onNodeClick(nodeKey(res))}> -
    -
    -
    - -
    -
    {ResourceLabel({kind: res.kind})}
    + .map(res => { + const groupkindjoin = [res.group, res.kind].filter(item => !!item).join('/'); + return ( +
    props.onNodeClick && props.onNodeClick(nodeKey(res))}> +
    +
    +
    + +
    +
    {ResourceLabel({kind: res.kind})}
    +
    -
    -
    - {res.name} - {res.kind === 'Application' && ( - - {ctx => ( - - e.stopPropagation()} - title='Open application'> - - + +
    + {res.name} + {res.kind === 'Application' && ( + + {ctx => ( + + e.stopPropagation()} + title='Open application'> + + + + )} + + )} +
    +     + +
    {groupkindjoin}
    +     + +
    {res.syncWave || '-'}
    +     + +
    {res.namespace}
    +     + {isSameKind && + res.kind === 'ReplicaSet' && + ((nodeByKey.get(nodeKey(res)) as ResourceNode).info || []) + .filter(tag => !tag.name.includes('Node')) + .slice(0, 4) + .map((tag, i) => { + return ( +
    + {tag?.value?.split(':')[1] || '-'} +
    + ); + })} + +
    + {res.createdAt && ( + + + {res.createdAt} + +  ago   {format(new Date(res.createdAt), 'MM/dd/yy')} )} - - )} -
    -
    {[res.group, res.kind].filter(item => !!item).join('/')}
    -
    {res.syncWave || '-'}
    -
    {res.namespace}
    - {isSameKind && - res.kind === 'ReplicaSet' && - ((nodeByKey.get(nodeKey(res)) as ResourceNode).info || []) - .filter(tag => !tag.name.includes('Node')) - .slice(0, 4) - .map((tag, i) => { - return ( -
    - {tag?.value?.split(':')[1] || '-'} -
    - ); - })} - -
    - {res.createdAt && ( - - - {res.createdAt} - -  ago   {format(new Date(res.createdAt), 'MM/dd/yy')} - - )} -
    -
    - {res.health && ( - - {res.health.status}   - - )} - {res.status && } - {res.hook && } - {props.nodeMenu && ( -
    - ( - - )}> - {() => props.nodeMenu(nodeByKey.get(nodeKey(res)))} -
    - )} + +
    + {res.health && ( + + {res.health.status}   + + )} + {res.status && } + {res.hook && } + {props.nodeMenu && ( +
    + ( + + )}> + {() => props.nodeMenu(nodeByKey.get(nodeKey(res)))} + +
    + )} +
    -
    - ))} + ); + })}
    ) From 9c8d6524713690c68713e6d10a248dbb10f938b3 Mon Sep 17 00:00:00 2001 From: Nikhil Vaidyar Date: Mon, 20 May 2024 14:38:28 +0530 Subject: [PATCH 6/7] feat: Adding the domain_hint as an optional field in OIDC configuration (#18214) * [18066] - Added DomainHint key in OIDCConfig struct Signed-off-by: nikzayn * [18066] - Added DomainHint in options for grantType Signed-off-by: nikzayn * [18066] - Auth0 readme.md --updated Signed-off-by: nikzayn --------- Signed-off-by: nikzayn --- cmd/argocd/commands/login.go | 5 +++++ docs/operator-manual/user-management/auth0.md | 1 + util/settings/settings.go | 2 ++ 3 files changed, 8 insertions(+) diff --git a/cmd/argocd/commands/login.go b/cmd/argocd/commands/login.go index abb2b004291c..2b356706a079 100644 --- a/cmd/argocd/commands/login.go +++ b/cmd/argocd/commands/login.go @@ -31,6 +31,7 @@ import ( "github.com/argoproj/argo-cd/v2/util/localconfig" oidcutil "github.com/argoproj/argo-cd/v2/util/oidc" "github.com/argoproj/argo-cd/v2/util/rand" + oidcconfig "github.com/argoproj/argo-cd/v2/util/settings" ) // NewLoginCommand returns a new instance of `argocd login` command @@ -306,6 +307,7 @@ func oauth2Login( fmt.Printf("Opening browser for authentication\n") var url string + var oidcconfig oidcconfig.OIDCConfig grantType := oidcutil.InferGrantType(oidcConf) opts := []oauth2.AuthCodeOption{oauth2.AccessTypeOffline} if claimsRequested := oidcSettings.GetIDTokenClaims(); claimsRequested != nil { @@ -316,6 +318,9 @@ func oauth2Login( case oidcutil.GrantTypeAuthorizationCode: opts = append(opts, oauth2.SetAuthURLParam("code_challenge", codeChallenge)) opts = append(opts, oauth2.SetAuthURLParam("code_challenge_method", "S256")) + if oidcconfig.DomainHint != "" { + opts = append(opts, oauth2.SetAuthURLParam("domain_hint", oidcconfig.DomainHint)) + } url = oauth2conf.AuthCodeURL(stateNonce, opts...) case oidcutil.GrantTypeImplicit: url, err = oidcutil.ImplicitFlowURL(oauth2conf, stateNonce, opts...) diff --git a/docs/operator-manual/user-management/auth0.md b/docs/operator-manual/user-management/auth0.md index 411517df05e0..c20b5f5af30c 100644 --- a/docs/operator-manual/user-management/auth0.md +++ b/docs/operator-manual/user-management/auth0.md @@ -39,6 +39,7 @@ data: issuer: https://..auth0.com/ clientID: clientSecret: + domain_hint: requestedScopes: - openid - profile diff --git a/util/settings/settings.go b/util/settings/settings.go index 45da68945a59..7068fda32b74 100644 --- a/util/settings/settings.go +++ b/util/settings/settings.go @@ -171,6 +171,7 @@ func (o *oidcConfig) toExported() *OIDCConfig { LogoutURL: o.LogoutURL, RootCA: o.RootCA, EnablePKCEAuthentication: o.EnablePKCEAuthentication, + DomainHint: o.DomainHint, } } @@ -188,6 +189,7 @@ type OIDCConfig struct { LogoutURL string `json:"logoutURL,omitempty"` RootCA string `json:"rootCA,omitempty"` EnablePKCEAuthentication bool `json:"enablePKCEAuthentication,omitempty"` + DomainHint string `json:"domainHint,omitempty"` } // DEPRECATED. Helm repository credentials are now managed using RepoCredentials From 8480f5cd87c5e47b5577693e6eb03e2944b67ba0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 20 May 2024 16:53:51 +0300 Subject: [PATCH 7/7] chore(deps): bump library/node from 21.6.2 to 21.7.0 (#17446) Bumps library/node from 21.6.2 to 21.7.0. --- updated-dependencies: - dependency-name: library/node dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: pasha-codefresh --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 6ba69702b43e..40736dfa8eba 100644 --- a/Dockerfile +++ b/Dockerfile @@ -83,7 +83,7 @@ WORKDIR /home/argocd #################################################################################################### # Argo CD UI stage #################################################################################################### -FROM --platform=$BUILDPLATFORM docker.io/library/node:21.6.2@sha256:65998e325b06014d4f1417a8a6afb1540d1ac66521cca76f2221a6953947f9ee AS argocd-ui +FROM --platform=$BUILDPLATFORM docker.io/library/node:21.7.0@sha256:104b26b5d34f9907f1f1e5e51fd9e557845f1a354f07ee9f28814dd9574a6154 AS argocd-ui WORKDIR /src COPY ["ui/package.json", "ui/yarn.lock", "./"]