Vulnerable Library - github.com/argoproj/argo-cd/v2-v2.8.9
Declarative Continuous Deployment for Kubernetes
Library home page: https://proxy.golang.org/github.com/argoproj/argo-cd/v2/@v/v2.8.9.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/argoproj/argo-cd/v2/@v/v2.8.9.mod
Vulnerabilities
CVE |
Severity |
CVSS |
Dependency |
Type |
Fixed in (github.com/argoproj/argo-cd/v2-v2.8.9 version) |
Remediation Possible** |
CVE-2024-21652 |
Critical |
9.8 |
github.com/argoproj/argo-cd/v2-v2.8.9 |
Direct |
v2.8.13,v2.9.9,v2.10.4 |
❌ |
CVE-2024-28175 |
Critical |
9.0 |
github.com/argoproj/argo-cd/v2-v2.8.9 |
Direct |
v2.8.12,v2.9.8,v2.10.3 |
❌ |
CVE-2023-3955 |
High |
8.8 |
k8s.io/kuberneteS-v1.24.2 |
Transitive |
N/A* |
❌ |
CVE-2023-3676 |
High |
8.8 |
k8s.io/kuberneteS-v1.24.2 |
Transitive |
N/A* |
❌ |
CVE-2024-21662 |
High |
7.5 |
github.com/argoproj/argo-cd/v2-v2.8.9 |
Direct |
v2.8.13,v2.9.9,v2.10.4 |
❌ |
CVE-2024-21661 |
High |
7.5 |
github.com/argoproj/argo-cd/v2-v2.8.9 |
Direct |
v2.8.13,v2.9.9,v2.10.4 |
❌ |
CVE-2023-45288 |
High |
7.5 |
golang.org/x/net-v0.21.0 |
Transitive |
N/A* |
❌ |
CVE-2023-44487 |
High |
7.5 |
k8s.io/apiserver-v0.24.2 |
Transitive |
N/A* |
❌ |
CVE-2023-5408 |
High |
7.2 |
k8s.io/kuberneteS-v1.24.2 |
Transitive |
N/A* |
❌ |
CVE-2024-32476 |
Medium |
6.5 |
github.com/argoproj/argo-cd/v2-v2.8.9 |
Direct |
v2.8.17,v2.9.13,v2.10.8 |
❌ |
CVE-2024-29893 |
Medium |
6.5 |
github.com/argoproj/argo-cd/v2-v2.8.9 |
Direct |
v2.8.14,v2.9.10,v2.10.5 |
❌ |
CVE-2023-2728 |
Medium |
6.5 |
k8s.io/kuberneteS-v1.24.2 |
Transitive |
N/A* |
❌ |
CVE-2023-2727 |
Medium |
6.5 |
k8s.io/kuberneteS-v1.24.2 |
Transitive |
N/A* |
❌ |
CVE-2023-50726 |
Medium |
6.4 |
github.com/argoproj/argo-cd/v2-v2.8.9 |
Direct |
v2.8.12,v2.9.8,v2.10.3 |
❌ |
CVE-2023-2431 |
Medium |
5.5 |
k8s.io/kuberneteS-v1.24.2 |
Transitive |
N/A* |
❌ |
CVE-2024-31990 |
Medium |
4.8 |
github.com/argoproj/argo-cd/v2-v2.8.9 |
Direct |
v2.8.16,v2.9.12,v2.10.7 |
❌ |
CVE-2024-28180 |
Medium |
4.3 |
github.com/go-jose/go-jose/v3-v3.0.2 |
Transitive |
N/A* |
❌ |
CVE-2024-3177 |
Low |
2.7 |
k8s.io/kuberneteS-v1.24.2 |
Transitive |
N/A* |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-21652
Vulnerable Library - github.com/argoproj/argo-cd/v2-v2.8.9
Declarative Continuous Deployment for Kubernetes
Library home page: https://proxy.golang.org/github.com/argoproj/argo-cd/v2/@v/v2.8.9.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/argoproj/argo-cd/v2/@v/v2.8.9.mod
Dependency Hierarchy:
- ❌ github.com/argoproj/argo-cd/v2-v2.8.9 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a chain of vulnerabilities, including a Denial of Service (DoS) flaw and in-memory data storage weakness, to effectively bypass the application's brute force login protection. This is a critical security vulnerability that allows attackers to bypass the brute force login protection mechanism. Not only can they crash the service affecting all users, but they can also make unlimited login attempts, increasing the risk of account compromise. Versions 2.8.13, 2.9.9, and 2.10.4 contain a patch for this issue.
Publish Date: 2024-03-18
URL: CVE-2024-21652
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-21652
Release Date: 2024-03-18
Fix Resolution: v2.8.13,v2.9.9,v2.10.4
Step up your Open Source Security Game with Mend here
CVE-2024-28175
Vulnerable Library - github.com/argoproj/argo-cd/v2-v2.8.9
Declarative Continuous Deployment for Kubernetes
Library home page: https://proxy.golang.org/github.com/argoproj/argo-cd/v2/@v/v2.8.9.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/argoproj/argo-cd/v2/@v/v2.8.9.mod
Dependency Hierarchy:
- ❌ github.com/argoproj/argo-cd/v2-v2.8.9 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Due to the improper URL protocols filtering of links specified in the link.argocd.argoproj.io
annotations in the application summary component, an attacker can achieve cross-site scripting with elevated permissions. All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will execute with the victim's permissions (up to and including admin). This vulnerability allows an attacker to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, and deleting Kubernetes resources. A patch for this vulnerability has been released in Argo CD versions v2.10.3 v2.9.8, and v2.8.12. There are no completely-safe workarounds besides upgrading. The safest alternative, if upgrading is not possible, would be to create a Kubernetes admission controller to reject any resources with an annotation starting with link.argocd.argoproj.io or reject the resource if the value use an improper URL protocol. This validation will need to be applied in all clusters managed by ArgoCD.
Publish Date: 2024-03-13
URL: CVE-2024-28175
CVSS 3 Score Details (9.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-jwv5-8mqv-g387
Release Date: 2024-03-13
Fix Resolution: v2.8.12,v2.9.8,v2.10.3
Step up your Open Source Security Game with Mend here
CVE-2023-3955
Vulnerable Library - k8s.io/kuberneteS-v1.24.2
Library home page: https://proxy.golang.org/k8s.io/kubernetes/@v/v1.24.2.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/k8s.io/kubernetes/@v/v1.24.2.mod
Dependency Hierarchy:
- github.com/argoproj/argo-cd/v2-v2.8.9 (Root Library)
- github.com/argoproj/gitops-engine-v0.7.1-0.20230607163028-425d65e07695
- ❌ k8s.io/kuberneteS-v1.24.2 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
A security issue was discovered in Kubernetes where a user
that can create pods on Windows nodes may be able to escalate to admin
privileges on those nodes. Kubernetes clusters are only affected if they
include Windows nodes.
Publish Date: 2023-10-31
URL: CVE-2023-3955
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://seclists.org/oss-sec/2023/q3/126
Release Date: 2023-07-27
Fix Resolution: v1.24.17,v1.25.13,v1.26.8,v1.27.5,v1.28.1
Step up your Open Source Security Game with Mend here
CVE-2023-3676
Vulnerable Library - k8s.io/kuberneteS-v1.24.2
Library home page: https://proxy.golang.org/k8s.io/kubernetes/@v/v1.24.2.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/k8s.io/kubernetes/@v/v1.24.2.mod
Dependency Hierarchy:
- github.com/argoproj/argo-cd/v2-v2.8.9 (Root Library)
- github.com/argoproj/gitops-engine-v0.7.1-0.20230607163028-425d65e07695
- ❌ k8s.io/kuberneteS-v1.24.2 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
A security issue was discovered in Kubernetes where a user
that can create pods on Windows nodes may be able to escalate to admin
privileges on those nodes. Kubernetes clusters are only affected if they
include Windows nodes.
Publish Date: 2023-10-31
URL: CVE-2023-3676
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2023-07-14
Fix Resolution: v1.24.17,v1.25.13,v1.26.8,v1.27.5,v1.28.1
Step up your Open Source Security Game with Mend here
CVE-2024-21662
Vulnerable Library - github.com/argoproj/argo-cd/v2-v2.8.9
Declarative Continuous Deployment for Kubernetes
Library home page: https://proxy.golang.org/github.com/argoproj/argo-cd/v2/@v/v2.8.9.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/argoproj/argo-cd/v2/@v/v2.8.9.mod
Dependency Hierarchy:
- ❌ github.com/argoproj/argo-cd/v2-v2.8.9 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can effectively bypass the rate limit and brute force protections by exploiting the application's weak cache-based mechanism. This loophole in security can be combined with other vulnerabilities to attack the default admin account. This flaw undermines a patch for CVE-2020-8827 intended to protect against brute-force attacks. The application's brute force protection relies on a cache mechanism that tracks login attempts for each user. This cache is limited to a defaultMaxCacheSize
of 1000 entries. An attacker can overflow this cache by bombarding it with login attempts for different users, thereby pushing out the admin account's failed attempts and effectively resetting the rate limit for that account. This is a severe vulnerability that enables attackers to perform brute force attacks at an accelerated rate, especially targeting the default admin account. Users should upgrade to version 2.8.13, 2.9.9, or 2.10.4 to receive a patch.
Publish Date: 2024-03-18
URL: CVE-2024-21662
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-2vgg-9h6w-m454
Release Date: 2024-03-18
Fix Resolution: v2.8.13,v2.9.9,v2.10.4
Step up your Open Source Security Game with Mend here
CVE-2024-21661
Vulnerable Library - github.com/argoproj/argo-cd/v2-v2.8.9
Declarative Continuous Deployment for Kubernetes
Library home page: https://proxy.golang.org/github.com/argoproj/argo-cd/v2/@v/v2.8.9.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/argoproj/argo-cd/v2/@v/v2.8.9.mod
Dependency Hierarchy:
- ❌ github.com/argoproj/argo-cd/v2-v2.8.9 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a critical flaw in the application to initiate a Denial of Service (DoS) attack, rendering the application inoperable and affecting all users. The issue arises from unsafe manipulation of an array in a multi-threaded environment. The vulnerability is rooted in the application's code, where an array is being modified while it is being iterated over. This is a classic programming error but becomes critically unsafe when executed in a multi-threaded environment. When two threads interact with the same array simultaneously, the application crashes. This is a Denial of Service (DoS) vulnerability. Any attacker can crash the application continuously, making it impossible for legitimate users to access the service. The issue is exacerbated because it does not require authentication, widening the pool of potential attackers. Versions 2.8.13, 2.9.9, and 2.10.4 contain a patch for this issue.
Publish Date: 2024-03-18
URL: CVE-2024-21661
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-6v85-wr92-q4p7
Release Date: 2024-03-18
Fix Resolution: v2.8.13,v2.9.9,v2.10.4
Step up your Open Source Security Game with Mend here
CVE-2023-45288
Vulnerable Library - golang.org/x/net-v0.21.0
Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.21.0.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/golang.org/x/net/@v/v0.21.0.mod
Dependency Hierarchy:
- github.com/argoproj/argo-cd/v2-v2.8.9 (Root Library)
- ❌ golang.org/x/net-v0.21.0 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
Publish Date: 2024-04-04
URL: CVE-2023-45288
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2023-10-06
Fix Resolution: golang/net - v0.23.0
Step up your Open Source Security Game with Mend here
CVE-2023-44487
Vulnerable Library - k8s.io/apiserver-v0.24.2
Library for writing a Kubernetes-style API server.
Library home page: https://proxy.golang.org/k8s.io/apiserver/@v/v0.24.2.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/k8s.io/apiserver/@v/v0.24.2.mod
Dependency Hierarchy:
- github.com/argoproj/argo-cd/v2-v2.8.9 (Root Library)
- github.com/argoproj/gitops-engine-v0.7.1-0.20230607163028-425d65e07695
- k8s.io/kuberneteS-v1.24.2
- ❌ k8s.io/apiserver-v0.24.2 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Publish Date: 2023-10-10
URL: CVE-2023-44487
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-44487
Release Date: 2023-10-10
Fix Resolution: org.eclipse.jetty.http2:http2-server:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-server:12.0.2, org.eclipse.jetty.http2:http2-common:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-common:12.0.2, nghttp - v1.57.0, swift-nio-http2 - 1.28.0, io.netty:netty-codec-http2:4.1.100.Final, trafficserver - 9.2.3, org.apache.tomcat:tomcat-coyote:8.5.94,9.0.81,10.1.14, org.apache.tomcat.embed:tomcat-embed-core:8.5.94,9.0.81,10.1.14, Microsoft.AspNetCore.App - 6.0.23,7.0.12, contour - v1.26.1, proxygen - v2023.10.16.00, grpc-go - v1.56.3,v1.57.1,v1.58.3, kubernetes/kubernetes - v1.25.15,v1.26.10,v1.27.7,v1.28.3,v1.29.0, kubernetes/apimachinery - v0.25.15,v0.26.10,v0.27.7,v0.28.3,v0.29.0
Step up your Open Source Security Game with Mend here
CVE-2023-5408
Vulnerable Library - k8s.io/kuberneteS-v1.24.2
Library home page: https://proxy.golang.org/k8s.io/kubernetes/@v/v1.24.2.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/k8s.io/kubernetes/@v/v1.24.2.mod
Dependency Hierarchy:
- github.com/argoproj/argo-cd/v2-v2.8.9 (Root Library)
- github.com/argoproj/gitops-engine-v0.7.1-0.20230607163028-425d65e07695
- ❌ k8s.io/kuberneteS-v1.24.2 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
A privilege escalation flaw was found in the node restriction admission plugin of the kubernetes api server of OpenShift. A remote attacker who modifies the node role label could steer workloads from the control plane and etcd nodes onto different worker nodes and gain broader access to the cluster.
Publish Date: 2023-11-02
URL: CVE-2023-5408
CVSS 3 Score Details (7.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Step up your Open Source Security Game with Mend here
CVE-2024-32476
Vulnerable Library - github.com/argoproj/argo-cd/v2-v2.8.9
Declarative Continuous Deployment for Kubernetes
Library home page: https://proxy.golang.org/github.com/argoproj/argo-cd/v2/@v/v2.8.9.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/argoproj/argo-cd/v2/@v/v2.8.9.mod
Dependency Hierarchy:
- ❌ github.com/argoproj/argo-cd/v2-v2.8.9 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. There is a Denial of Service (DoS) vulnerability via OOM using jq in ignoreDifferences. This vulnerability has been patched in version(s) 2.10.7, 2.9.12 and 2.8.16.
Publish Date: 2024-04-26
URL: CVE-2024-32476
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-9m6p-x4h2-6frq
Release Date: 2024-04-26
Fix Resolution: v2.8.17,v2.9.13,v2.10.8
Step up your Open Source Security Game with Mend here
CVE-2024-29893
Vulnerable Library - github.com/argoproj/argo-cd/v2-v2.8.9
Declarative Continuous Deployment for Kubernetes
Library home page: https://proxy.golang.org/github.com/argoproj/argo-cd/v2/@v/v2.8.9.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/argoproj/argo-cd/v2/@v/v2.8.9.mod
Dependency Hierarchy:
- ❌ github.com/argoproj/argo-cd/v2-v2.8.9 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, it's possible to crash the repo server component through an out of memory error by pointing it to a malicious Helm registry. The loadRepoIndex() function in the ArgoCD's helm package, does not limit the size nor time while fetching the data. It fetches it and creates a byte slice from the retrieved data in one go. If the registry is implemented to push data continuously, the repo server will keep allocating memory until it runs out of it. A patch for this vulnerability has been released in v2.10.3, v2.9.8, and v2.8.12.
Publish Date: 2024-03-29
URL: CVE-2024-29893
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-jhwx-mhww-rgc3
Release Date: 2024-03-29
Fix Resolution: v2.8.14,v2.9.10,v2.10.5
Step up your Open Source Security Game with Mend here
CVE-2023-2728
Vulnerable Library - k8s.io/kuberneteS-v1.24.2
Library home page: https://proxy.golang.org/k8s.io/kubernetes/@v/v1.24.2.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/k8s.io/kubernetes/@v/v1.24.2.mod
Dependency Hierarchy:
- github.com/argoproj/argo-cd/v2-v2.8.9 (Root Library)
- github.com/argoproj/gitops-engine-v0.7.1-0.20230607163028-425d65e07695
- ❌ k8s.io/kuberneteS-v1.24.2 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets
annotation are used together with ephemeral containers.
Publish Date: 2023-07-03
URL: CVE-2023-2728
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2023-05-16
Fix Resolution: v1.24.15,v1.25.11,v1.26.6,v1.27.3
Step up your Open Source Security Game with Mend here
CVE-2023-2727
Vulnerable Library - k8s.io/kuberneteS-v1.24.2
Library home page: https://proxy.golang.org/k8s.io/kubernetes/@v/v1.24.2.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/k8s.io/kubernetes/@v/v1.24.2.mod
Dependency Hierarchy:
- github.com/argoproj/argo-cd/v2-v2.8.9 (Root Library)
- github.com/argoproj/gitops-engine-v0.7.1-0.20230607163028-425d65e07695
- ❌ k8s.io/kuberneteS-v1.24.2 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.
Publish Date: 2023-07-03
URL: CVE-2023-2727
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2023-05-16
Fix Resolution: v1.24.15,v1.25.11,v1.26.6,v1.27.3
Step up your Open Source Security Game with Mend here
CVE-2023-50726
Vulnerable Library - github.com/argoproj/argo-cd/v2-v2.8.9
Declarative Continuous Deployment for Kubernetes
Library home page: https://proxy.golang.org/github.com/argoproj/argo-cd/v2/@v/v2.8.9.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/argoproj/argo-cd/v2/@v/v2.8.9.mod
Dependency Hierarchy:
- ❌ github.com/argoproj/argo-cd/v2-v2.8.9 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. "Local sync" is an Argo CD feature that allows developers to temporarily override an Application's manifests with locally-defined manifests. Use of the feature should generally be limited to highly-trusted users, since it allows the user to bypass any merge protections in git. An improper validation bug allows users who have create
privileges but not override
privileges to sync local manifests on app creation. All other restrictions, including AppProject restrictions are still enforced. The only restriction which is not enforced is that the manifests come from some approved git/Helm/OCI source. The bug was introduced in 1.2.0-rc1 when the local manifest sync feature was added. The bug has been patched in Argo CD versions 2.10.3, 2.9.8, and 2.8.12. Users are advised to upgrade. Users unable to upgrade may mitigate the risk of branch protection bypass by removing applications, create
RBAC access. The only way to eliminate the issue without removing RBAC access is to upgrade to a patched version.
Publish Date: 2024-03-13
URL: CVE-2023-50726
CVSS 3 Score Details (6.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-g623-jcgg-mhmm
Release Date: 2024-03-13
Fix Resolution: v2.8.12,v2.9.8,v2.10.3
Step up your Open Source Security Game with Mend here
CVE-2023-2431
Vulnerable Library - k8s.io/kuberneteS-v1.24.2
Library home page: https://proxy.golang.org/k8s.io/kubernetes/@v/v1.24.2.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/k8s.io/kubernetes/@v/v1.24.2.mod
Dependency Hierarchy:
- github.com/argoproj/argo-cd/v2-v2.8.9 (Root Library)
- github.com/argoproj/gitops-engine-v0.7.1-0.20230607163028-425d65e07695
- ❌ k8s.io/kuberneteS-v1.24.2 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost type for seccomp profile but specify an empty profile field, are affected by this issue. In this scenario, this vulnerability allows the pod to run in unconfined (seccomp disabled) mode. This bug affects Kubelet.
Publish Date: 2023-06-16
URL: CVE-2023-2431
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-2431
Release Date: 2023-06-16
Fix Resolution: v1.24.14,v1.25.9,v1.26.4,v1.27.1
Step up your Open Source Security Game with Mend here
CVE-2024-31990
Vulnerable Library - github.com/argoproj/argo-cd/v2-v2.8.9
Declarative Continuous Deployment for Kubernetes
Library home page: https://proxy.golang.org/github.com/argoproj/argo-cd/v2/@v/v2.8.9.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/argoproj/argo-cd/v2/@v/v2.8.9.mod
Dependency Hierarchy:
- ❌ github.com/argoproj/argo-cd/v2-v2.8.9 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not enforce project sourceNamespaces which allows attackers to use the UI to edit resources which should only be mutable via gitops. This vulenrability is fixed in 2.10.7, 2.9.12, and 2.8.16.
Publish Date: 2024-04-15
URL: CVE-2024-31990
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-2gvw-w6fj-7m3c
Release Date: 2024-04-15
Fix Resolution: v2.8.16,v2.9.12,v2.10.7
Step up your Open Source Security Game with Mend here
CVE-2024-28180
Vulnerable Library - github.com/go-jose/go-jose/v3-v3.0.2
An implementation of JOSE standards (JWE, JWS, JWT) in Go
Library home page: https://proxy.golang.org/github.com/go-jose/go-jose/v3/@v/v3.0.2.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/go-jose/go-jose/v3/@v/v3.0.2.mod
Dependency Hierarchy:
- github.com/argoproj/argo-cd/v2-v2.8.9 (Root Library)
- github.com/Coreos/go-oidc/v3-v3.9.0
- ❌ github.com/go-jose/go-jose/v3-v3.0.2 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.
Publish Date: 2024-03-09
URL: CVE-2024-28180
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-28180
Release Date: 2024-03-09
Fix Resolution: v2.6.3,v3.0.3,v4.0.1
Step up your Open Source Security Game with Mend here
CVE-2024-3177
Vulnerable Library - k8s.io/kuberneteS-v1.24.2
Library home page: https://proxy.golang.org/k8s.io/kubernetes/@v/v1.24.2.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/k8s.io/kubernetes/@v/v1.24.2.mod
Dependency Hierarchy:
- github.com/argoproj/argo-cd/v2-v2.8.9 (Root Library)
- github.com/argoproj/gitops-engine-v0.7.1-0.20230607163028-425d65e07695
- ❌ k8s.io/kuberneteS-v1.24.2 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with containers, init containers, and ephemeral containers with the envFrom field populated.
Publish Date: 2024-04-22
URL: CVE-2024-3177
CVSS 3 Score Details (2.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://discuss.kubernetes.io/t/security-advisory-cve-2024-3177-bypassing-mountable-secrets-policy-imposed-by-the-serviceaccount-admission-plugin/27905
Release Date: 2024-04-02
Fix Resolution: v1.27.13.v1.28.9,v1.29.4
Step up your Open Source Security Game with Mend here