cbcvebase.

Argoproj Argo-Cd vulnerabilities

42 known vulnerabilities affecting argoproj/argo-cd.

Total CVEs
42
CISA KEV
0
Public exploits
2
Exploited in wild
1
Severity breakdown
CRITICAL7HIGH14MEDIUM21

Vulnerabilities

Page 2 of 3
CVE-2022-24730P3MEDIUMCVSS 6.5v>= 1.3.0, < 2.1.11v>= 2.2.0, < 2.2.6+1 more2022-03-23
CVE-2022-24730 [MEDIUM] CWE-22 CVE-2022-24730: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with vers Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 1.3.0 but before versions 2.1.11, 2.2.6, and 2.3.0 is vulnerable to a path traversal bug, compounded by an improper access control bug, allowing a malicious user with read-only repository access to leak sensitive files from Argo CD's repo-server. A
nvd
CVE-2024-31990P3MEDIUMCVSS 6.3v>= 2.10.0, < 2.10.7v>= 2.9.0, < 2.9.12+1 more2024-04-15
CVE-2024-31990 [MEDIUM] CWE-863 CVE-2024-31990: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not en Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not enforce project sourceNamespaces which allows attackers to use the UI to edit resources which should only be mutable via gitops. This vulenrability is fixed in 2.10.7, 2.9.12, and 2.8.16.
nvd
CVE-2023-40025P3HIGHCVSS 7.1v>= 2.6.0, < 2.6.14v>= 2.7.0, < 2.7.12+1 more2023-08-23
CVE-2023-40025 [HIGH] CWE-613 CVE-2023-40025: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD st Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting from version 2.6.0 have a bug where open web terminal sessions do not expire. This bug allows users to send any websocket messages even if the token has already expired. The most straightforward scenario is when a user opens the terminal view and
nvd
CVE-2024-41666P3MEDIUMCVSS 6.5v>= 2.6.0, < 2.9.21v>= 2.10.0, < 2.10.16+1 more2024-07-24
CVE-2024-41666 [MEDIUM] CWE-269 CVE-2024-41666: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD has a Web-based te Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD has a Web-based terminal that allows users to get a shell inside a running pod, just as they would with kubectl exec. Starting in version 2.6.0, when the administrator enables this function and grants permission to the user `p, role:myrole, exec, create, */*, allow`, e
nvd
CVE-2023-40584P3MEDIUMCVSS 6.5v>= 2.4.0, < 2.6.15v>= 2.7.0, < 2.7.14+1 more2023-09-07
CVE-2023-40584 [MEDIUM] CWE-400 CVE-2023-40584: Argo CD is a declarative continuous deployment for Kubernetes. All versions of ArgoCD starting from Argo CD is a declarative continuous deployment for Kubernetes. All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, the said component extracts a user-controlled tar.gz file without validating the size of its inner files. As a result, a malicious,
nvd
CVE-2023-25163P3MEDIUMCVSS 6.5v>= 2.6.0-rc1, < 2.6.12023-02-08
CVE-2023-25163 [MEDIUM] CWE-532 CVE-2023-25163: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD st Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v2.6.0-rc1 have an output sanitization bug which leaks repository access credentials in error messages. These error messages are visible to the user, and they are logged. The error message is visible when a user attempts to create or updat
nvd
CVE-2023-50726P3MEDIUMCVSS 6.4v>= 1.2.0-rc1, < 2.8.12v>= 2.9.0, < 2.9.8+1 more2024-03-13
CVE-2023-50726 [MEDIUM] CWE-269 CVE-2023-50726: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. "Local sync" is an Argo CD Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. "Local sync" is an Argo CD feature that allows developers to temporarily override an Application's manifests with locally-defined manifests. Use of the feature should generally be limited to highly-trusted users, since it allows the user to bypass any merge protections in git.
nvd
CVE-2024-29893P3MEDIUMCVSS 6.5v>= 2.4.0, < 2.8.14v>= 2.9.0, < 2.9.10+1 more2024-03-29
CVE-2024-29893 [MEDIUM] CWE-400 CVE-2024-29893: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of ArgoCD sta Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, it's possible to crash the repo server component through an out of memory error by pointing it to a malicious Helm regi
nvd
CVE-2025-23216P4MEDIUMCVSS 6.8v>= 2.13.0, < 2.13.4v>= 2.12.0, < 2.12.10+1 more2025-01-30
CVE-2025-23216 [MEDIUM] CWE-200 CVE-2025-23216: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was discov Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. The vulnerability assumes the user has write access to the repository and can exploit it, either in
nvd
CVE-2022-31016P4MEDIUMCVSS 6.5v>= 0.7.0, < 2.1.16v> 2.0.0, < 2.2.10+1 more2022-06-25
CVE-2022-31016 [MEDIUM] CWE-400 CVE-2022-31016: Argo CD is a declarative continuous deployment for Kubernetes. Argo CD versions v0.7.0 and later are Argo CD is a declarative continuous deployment for Kubernetes. Argo CD versions v0.7.0 and later are vulnerable to an uncontrolled memory consumption bug, allowing an authorized malicious user to crash the repo-server service, resulting in a Denial of Service. The attacker must be an authenticated Argo CD user authorized to deploy Applications from
nvd
CVE-2024-32476P4MEDIUMCVSS 6.5v>= 2.10.0, < 2.10.8v>= 2.9.0, < 2.9.13+1 more2024-05-14
CVE-2024-32476 [MEDIUM] CWE-400 CVE-2024-32476: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. There is a Denial of Servi Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. There is a Denial of Service (DoS) vulnerability via OOM using jq in ignoreDifferences. This vulnerability has been patched in version(s) 2.10.7, 2.9.12 and 2.8.16.
nvd
CVE-2025-55191P4MEDIUMCVSS 5.3v>= 2.1.0, < 2.14.20v= 3.2.0-rc1+2 more2025-09-30
CVE-2025-55191 [MEDIUM] CWE-362 CVE-2025-55191: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions between 2.1.0 and Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions between 2.1.0 and 2.14.19, 3.2.0-rc1, 3.1.0-rc1 through 3.1.7, and 3.0.0-rc1 through 3.0.18 contain a race condition in the repository credentials handler that can cause the Argo CD server to panic and crash when concurrent operations are performed on the same reposit
nvd
CVE-2022-31102P4MEDIUMCVSS 6.1v>= 2.3.0, < 2.3.6v>= 2.4.0, < 2.4.52022-07-12
CVE-2022-31102 [MEDIUM] CWE-79 CVE-2022-31102: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with 2.3. Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with 2.3.0 and prior to 2.3.6 and 2.4.5 is vulnerable to a cross-site scripting (XSS) bug which could allow an attacker to inject arbitrary JavaScript in the `/auth/callback` page in a victim's browser. This vulnerability only affects Argo CD instances which ha
nvd
CVE-2025-47933P4MEDIUMCVSS 5.4v>= 1.2.0-rc1, <= 1.8.7v>= 2.0.0-rc3, < 2.13.8+2 more2025-05-29
CVE-2025-47933 [MEDIUM] CWE-79 CVE-2025-47933: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.13.8, Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.13.8, 2.14.13, and 3.0.4, an attacker can perform arbitrary actions on behalf of the victim via the API. Due to the improper filtering of URL protocols in the repository page, an attacker can achieve cross-site scripting with permission to edit the repository
nvd
CVE-2022-24731P4MEDIUMCVSS 4.9v>= 1.5.0, < 2.1.11v>= 2.2.0, < 2.2.6+1 more2022-03-23
CVE-2022-24731 [MEDIUM] CWE-22 CVE-2022-24731: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with vers Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 1.5.0 but before versions 2.1.11, 2.2.6, and 2.3.0 is vulnerable to a path traversal vulnerability, allowing a malicious user with read/write access to leak sensitive files from Argo CD's repo-server. A malicious Argo CD user who has been granted `
nvd
CVE-2022-31035P4MEDIUMCVSS 5.4v>= 1.0.0, < 2.1.16v>= 2.2.0, < 2.2.10+2 more2022-06-27
CVE-2022-31035 [MEDIUM] CWE-79 CVE-2022-31035: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD st Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a `javascript:` link in the UI. When clicked by a victim user, the script will execute with the victim's permissions (up to and including admin).
nvd
CVE-2024-28175P4MEDIUMCVSS 5.4v>= 1.0.0, < 2.8.12v>= 2.9.0, < 2.9.8+1 more2024-03-13
CVE-2024-28175 [MEDIUM] CWE-79 CVE-2024-28175: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Due to the improper URL pr Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Due to the improper URL protocols filtering of links specified in the `link.argocd.argoproj.io` annotations in the application summary component, an attacker can achieve cross-site scripting with elevated permissions. All unpatched versions of Argo CD starting with v1.0.0 are v
nvd
CVE-2022-31036P4MEDIUMCVSS 4.3v>= 1.3.0, < 2.1.16v>= 2.2.0, < 2.2.10+2 more2022-06-27
CVE-2022-31036 [MEDIUM] CWE-20 CVE-2022-31036: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD st Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v1.3.0 are vulnerable to a symlink following bug allowing a malicious user with repository write access to leak sensitive YAML files from Argo CD's repo-server. A malicious Argo CD user with write access for a repository which is (or may be
nvd
CVE-2022-24904P4MEDIUMCVSS 4.3v>= 0.7.0, < 2.1.15v>= 2.2.0, < 2.2.9+1 more2022-05-20
CVE-2022-24904 [MEDIUM] CWE-59 CVE-2022-24904: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with vers Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.7.0 and prior to versions 2.1.15m 2.2.9, and 2.3.4 is vulnerable to a symlink following bug allowing a malicious user with repository write access to leak sensitive files from Argo CD's repo-server. A malicious Argo CD user with write access for
nvd
CVE-2023-40026P4MEDIUMCVSS 4.3fixed in 2.32023-09-27
CVE-2023-40026 [MEDIUM] CWE-22 CVE-2023-40026: Argo CD is a declarative continuous deployment framework for Kubernetes. In Argo CD versions prior t Argo CD is a declarative continuous deployment framework for Kubernetes. In Argo CD versions prior to 2.3 (starting at least in v0.1.0, but likely in any version using Helm before 2.3), using a specifically-crafted Helm file could reference external Helm charts handled by the same repo-server to leak values, or files from the referenced Helm Chart. T
nvd
Argoproj Argo-Cd vulnerabilities | cvebase