cbcvebase.

Argoproj Argo Cd vulnerabilities

56 known vulnerabilities affecting argoproj/argo_cd.

Total CVEs
56
CISA KEV
0
Public exploits
2
Exploited in wild
1
Severity breakdown
CRITICAL8HIGH20MEDIUM28

Vulnerabilities

Page 3 of 3
CVE-2024-32476P4MEDIUMCVSS 6.5≥ 2.1.0, < 2.8.17≥ 2.9.0, < 2.9.13+1 more2024-05-14
CVE-2024-32476 [MEDIUM] CWE-400 CVE-2024-32476: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. There is a Denial of Servi Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. There is a Denial of Service (DoS) vulnerability via OOM using jq in ignoreDifferences. This vulnerability has been patched in version(s) 2.10.7, 2.9.12 and 2.8.16.
nvd
CVE-2025-55191P4MEDIUMCVSS 5.3≥ 2.1.0, < 2.14.20≥ 3.0.0, < 3.0.19+2 more2025-09-30
CVE-2025-55191 [MEDIUM] CWE-362 CVE-2025-55191: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions between 2.1.0 and Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions between 2.1.0 and 2.14.19, 3.2.0-rc1, 3.1.0-rc1 through 3.1.7, and 3.0.0-rc1 through 3.0.18 contain a race condition in the repository credentials handler that can cause the Argo CD server to panic and crash when concurrent operations are performed on the same reposit
nvd
CVE-2022-31102P4MEDIUMCVSS 6.1≥ 2.3.0, < 2.3.6≥ 2.4.0, < 2.4.52022-07-12
CVE-2022-31102 [MEDIUM] CWE-79 CVE-2022-31102: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with 2.3. Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with 2.3.0 and prior to 2.3.6 and 2.4.5 is vulnerable to a cross-site scripting (XSS) bug which could allow an attacker to inject arbitrary JavaScript in the `/auth/callback` page in a victim's browser. This vulnerability only affects Argo CD instances which ha
nvd
CVE-2025-47933P4MEDIUMCVSS 5.4≥ 1.2.1, < 2.13.8≥ 2.14.0, < 2.14.13+2 more2025-05-29
CVE-2025-47933 [MEDIUM] CWE-79 CVE-2025-47933: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.13.8, Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.13.8, 2.14.13, and 3.0.4, an attacker can perform arbitrary actions on behalf of the victim via the API. Due to the improper filtering of URL protocols in the repository page, an attacker can achieve cross-site scripting with permission to edit the repository
nvd
CVE-2022-24731P4MEDIUMCVSS 4.9≥ 1.5.0, < 2.1.11≥ 2.2.0, < 2.2.6+1 more2022-03-23
CVE-2022-24731 [MEDIUM] CWE-22 CVE-2022-24731: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with vers Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 1.5.0 but before versions 2.1.11, 2.2.6, and 2.3.0 is vulnerable to a path traversal vulnerability, allowing a malicious user with read/write access to leak sensitive files from Argo CD's repo-server. A malicious Argo CD user who has been granted `
nvd
CVE-2020-11576P4MEDIUMCVSS 5.3v1.5.02020-04-08
CVE-2020-11576 [MEDIUM] CWE-203 CVE-2020-11576: Fixed in v1.5.1, Argo version v1.5.0 was vulnerable to a user-enumeration vulnerability which allowe Fixed in v1.5.1, Argo version v1.5.0 was vulnerable to a user-enumeration vulnerability which allowed attackers to determine the usernames of valid (non-SSO) accounts because /api/v1/session returned 401 for an existing username and 404 otherwise.
nvd
CVE-2022-31035P4MEDIUMCVSS 5.4≥ 1.0.0, < 2.1.16v2.2.9+2 more2022-06-27
CVE-2022-31035 [MEDIUM] CWE-79 CVE-2022-31035: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD st Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a `javascript:` link in the UI. When clicked by a victim user, the script will execute with the victim's permissions (up to and including admin).
nvd
CVE-2024-28175P4MEDIUMCVSS 5.4≥ 1.0.0, < 2.8.12≥ 2.9.0, < 2.9.8+1 more2024-03-13
CVE-2024-28175 [MEDIUM] CWE-79 CVE-2024-28175: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Due to the improper URL pr Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Due to the improper URL protocols filtering of links specified in the `link.argocd.argoproj.io` annotations in the application summary component, an attacker can achieve cross-site scripting with elevated permissions. All unpatched versions of Argo CD starting with v1.0.0 are v
nvd
CVE-2021-23135P4MEDIUMCVSS 5.5≥ 1.7.0, < 1.7.14≥ 1.8.0, < 1.8.72021-05-12
CVE-2021-23135 [MEDIUM] CWE-497 CVE-2021-23135: Exposure of System Data to an Unauthorized Control Sphere vulnerability in web UI of Argo CD allows Exposure of System Data to an Unauthorized Control Sphere vulnerability in web UI of Argo CD allows attacker to cause leaked secret data into web UI error messages and logs. This issue affects Argo CD 1.8 versions prior to 1.8.7; 1.7 versions prior to 1.7.14.
nvd
CVE-2022-31036P4MEDIUMCVSS 4.3≥ 1.3.0, < 2.1.6v2.2.9+2 more2022-06-27
CVE-2022-31036 [MEDIUM] CWE-20 CVE-2022-31036: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD st Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v1.3.0 are vulnerable to a symlink following bug allowing a malicious user with repository write access to leak sensitive YAML files from Argo CD's repo-server. A malicious Argo CD user with write access for a repository which is (or may be
nvd
CVE-2021-26924P4MEDIUMCVSS 6.1fixed in 1.7.12≥ 1.8.0, < 1.8.42021-03-15
CVE-2021-26924 [MEDIUM] CWE-79 CVE-2021-26924: An issue was discovered in Argo CD before 1.8.4. Browser XSS protection is not activated due to the An issue was discovered in Argo CD before 1.8.4. Browser XSS protection is not activated due to the missing XSS protection header.
nvd
CVE-2022-24904P4MEDIUMCVSS 4.3≥ 0.7.0, < 2.1.15≥ 2.2.0, < 2.2.9+1 more2022-05-20
CVE-2022-24904 [MEDIUM] CWE-59 CVE-2022-24904: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with vers Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.7.0 and prior to versions 2.1.15m 2.2.9, and 2.3.4 is vulnerable to a symlink following bug allowing a malicious user with repository write access to leak sensitive files from Argo CD's repo-server. A malicious Argo CD user with write access for
nvd
CVE-2023-40026P4MEDIUMCVSS 4.3fixed in 2.3.02023-09-27
CVE-2023-40026 [MEDIUM] CWE-22 CVE-2023-40026: Argo CD is a declarative continuous deployment framework for Kubernetes. In Argo CD versions prior t Argo CD is a declarative continuous deployment framework for Kubernetes. In Argo CD versions prior to 2.3 (starting at least in v0.1.0, but likely in any version using Helm before 2.3), using a specifically-crafted Helm file could reference external Helm charts handled by the same repo-server to leak values, or files from the referenced Helm Chart. T
nvd
CVE-2022-24905P4MEDIUMCVSS 4.3≥ 0.6.1, < 2.1.15≥ 2.2.0, < 2.2.9+1 more2022-05-20
CVE-2022-24905 [MEDIUM] CWE-20 CVE-2022-24905: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was found Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was found in Argo CD prior to versions 2.3.4, 2.2.9, and 2.1.15 that allows an attacker to spoof error messages on the login screen when single sign on (SSO) is enabled. In order to exploit this vulnerability, an attacker would have to trick the victim to visit a
nvd
CVE-2024-36106P4MEDIUMCVSS 4.3fixed in 2.9.17≥ 2.10.0, < 2.10.12+1 more2024-06-06
CVE-2024-36106 [MEDIUM] CWE-209 CVE-2024-36106: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It’s possible for authenti Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It’s possible for authenticated users to enumerate clusters by name by inspecting error messages. It’s also possible to enumerate the names of projects with project-scoped clusters if you know the names of the clusters. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.1
nvd
CVE-2021-23347P4MEDIUMCVSS 4.8fixed in 1.7.13≥ 1.8.0, < 1.8.62021-03-03
CVE-2021-23347 [MEDIUM] CWE-79 CVE-2021-23347: The package github.com/argoproj/argo-cd/cmd before 1.7.13, from 1.8.0 and before 1.8.6 are vulnerabl The package github.com/argoproj/argo-cd/cmd before 1.7.13, from 1.8.0 and before 1.8.6 are vulnerable to Cross-site Scripting (XSS) the SSO provider connected to Argo CD would have to send back a malicious error message containing JavaScript to the user.
nvd
Argoproj Argo Cd vulnerabilities | cvebase