cbcvebase.

Github.Com Argoproj Argo-Cd V2 vulnerabilities

46 known vulnerabilities affecting github.com/argoproj_argo-cd_v2.

Total CVEs
46
CISA KEV
0
Public exploits
2
Exploited in wild
1
Severity breakdown
CRITICAL8HIGH13MEDIUM16UNKNOWN9

Vulnerabilities

Page 1 of 3
CVE-2025-55190P1CRITICALExploitedPoC≥ 2.13.0, < 2.13.9≥ 2.14.0, < 2.14.162025-09-04
CVE-2025-55190 [CRITICAL] CWE-200 Argo CD's Project API Token Exposes Repository Credentials Argo CD's Project API Token Exposes Repository Credentials ### Summary Argo CD API tokens with project-level permissions are able to retrieve sensitive repository credentials (usernames, passwords) through the project details API endpoint, even when the token only has standard application management permissions and no explicit access to secrets. Component: `Project API (/api/v1/projects/{project}/detai
ghsaosv
CVE-2024-37152P2UNKNOWNPoC≥ 2.9.3, < 2.9.17≥ 2.10.0, < 2.10.12+1 more2024-06-14
CVE-2024-37152 Unauthenticated Access to sensitive settings in Argo CD in github.com/argoproj/argo-cd Unauthenticated Access to sensitive settings in Argo CD in github.com/argoproj/argo-cd Unauthenticated Access to sensitive settings in Argo CD in github.com/argoproj/argo-cd
osv
CVE-2022-29165P2CRITICAL≥ 2.3.0, < 2.3.4≥ 2.2.0, < 2.2.9+1 more2022-05-24
CVE-2022-29165 [CRITICAL] CWE-200 Argo CD will blindly trust JWT claims if anonymous access is enabled Argo CD will blindly trust JWT claims if anonymous access is enabled ### Impact A critical vulnerability has been discovered in Argo CD which would allow unauthenticated users to impersonate as any Argo CD user or role, including the `admin` user, by sending a specifically crafted JSON Web Token (JWT) along with the request. In order for this vulnerability to be exploited, [anonymous access](
ghsaosv
CVE-2024-21652P3CRITICAL≥ 0, < 2.8.13≥ 2.9.0, < 2.9.9+1 more2024-03-18
CVE-2024-21652 [CRITICAL] CWE-307 Bypassing Brute Force Protection via Application Crash and In-Memory Data Loss Bypassing Brute Force Protection via Application Crash and In-Memory Data Loss ### Summary An attacker can exploit a chain of vulnerabilities, including a Denial of Service (DoS) flaw and in-memory data storage weakness, to effectively bypass the application's brute force login protection. This makes the application susceptible to brute force attacks, compromising the security of all
ghsaosv
CVE-2024-31989P3CRITICAL≥ 0, < 2.8.19≥ 2.9.0-rc1, < 2.9.15+2 more2024-05-21
CVE-2024-31989 [CRITICAL] CWE-327 ArgoCD Vulnerable to Use of Risky or Missing Cryptographic Algorithms in Redis Cache ArgoCD Vulnerable to Use of Risky or Missing Cryptographic Algorithms in Redis Cache ### Summary By default, the Redis database server is not password-protected. Consequently, an attacker with access to the Redis server can gain read/write access to the data in Redis. The attacker can also modify the "mfst" (manifest) key to cause ArgoCD to execute any deployment, potentially l
ghsaosv
CVE-2022-24768P3UNKNOWN≥ 0, < 2.1.14≥ 2.2.0, < 2.2.8+1 more2024-08-21
CVE-2022-24768 Improper access control allows admin privilege escalation in Argo CD in github.com/argoproj/argo-cd Improper access control allows admin privilege escalation in Argo CD in github.com/argoproj/argo-cd Improper access control allows admin privilege escalation in Argo CD in github.com/argoproj/argo-cd
osv
CVE-2023-22482P3UNKNOWN≥ 0, < 2.3.14≥ 2.4.0, < 2.4.20+2 more2024-08-20
CVE-2023-22482 JWT audience claim is not verified in github.com/argoproj/argo-cd JWT audience claim is not verified in github.com/argoproj/argo-cd JWT audience claim is not verified in github.com/argoproj/argo-cd
osv
CVE-2024-21662P3MEDIUM≥ 0, < 2.8.13≥ 2.9.0, < 2.9.9+1 more2024-03-18
CVE-2024-21662 [MEDIUM] CWE-307 Bypassing Rate Limit and Brute Force Protection Using Cache Overflow Bypassing Rate Limit and Brute Force Protection Using Cache Overflow ### Summary An attacker can effectively bypass the rate limit and brute force protections by exploiting the application's weak cache-based mechanism. This loophole in security can be combined with other vulnerabilities to attack the default admin account. This flaw undermines a previously [patched CVE](https://argo-cd.readthedo
ghsa
CVE-2023-40029P3CRITICAL≥ 2.2.0, < 2.6.15≥ 2.7.0, < 2.7.14+1 more2023-09-11
CVE-2023-40029 [CRITICAL] CWE-200 Argo CD cluster secret might leak in cluster details page Argo CD cluster secret might leak in cluster details page ### Impact Argo CD Cluster secrets might be managed declaratively using Argo CD / kubectl apply. As a result, the full secret body is stored in`kubectl.kubernetes.io/last-applied-configuration` annotation. https://github.com/argoproj/argo-cd/pull/7139 introduced the ability to manage cluster labels and annotations. Since clusters are stored as s
ghsaosv
CVE-2023-23947P3UNKNOWN≥ 2.3.0, < 2.3.17≥ 2.4.0, < 2.4.23+2 more2024-08-20
CVE-2023-23947 Users with any cluster secret update access may update out-of-bounds cluster secrets in github.com/argoproj/argo-cd Users with any cluster secret update access may update out-of-bounds cluster secrets in github.com/argoproj/argo-cd Users with any cluster secret update access may update out-of-bounds cluster secrets in github.com/argoproj/argo-cd
osv
CVE-2023-22736P3HIGH≥ 2.5.0-rc1, < 2.5.8≥ 2.6.0-rc4, < 2.6.0-rc52023-01-25
CVE-2023-22736 [HIGH] CWE-862 Controller reconciles apps outside configured namespaces when sharding is enabled Controller reconciles apps outside configured namespaces when sharding is enabled ### Impact All Argo CD versions starting with 2.5.0-rc1 are vulnerable to an authorization bypass bug which allows a malicious Argo CD user to deploy Applications outside the configured allowed namespaces. #### Description of exploit Reconciled Application namespaces are specified as a comma-delimited
ghsaosv
CVE-2022-24348P3HIGHCVSS 7.7≥ 0, < 2.1.9≥ 2.2.0, < 2.2.42022-02-07
CVE-2022-24348 [HIGH] CWE-200 Path traversal and dereference of symlinks in Argo CD Path traversal and dereference of symlinks in Argo CD ### Impact All versions of Argo CD are vulnerable to a path traversal bug that allows to pass arbitrary values files to be consumed by Helm charts. Additionally, it is possible to craft special Helm chart packages containing value files that are actually symbolic links, pointing to arbitrary files outside the repository's root directory. If an attacker wit
ghsaosv
CVE-2022-1025P3HIGH≥ 0, < 2.1.14≥ 2.2.0, < 2.2.8+1 more2022-07-13
CVE-2022-1025 [HIGH] CWE-1220 Argo CD improper access control bug can allow malicious user to escalate privileges to admin level Argo CD improper access control bug can allow malicious user to escalate privileges to admin level # Impact ## Impacts for versions starting with v1.0.0 All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to an improper access control bug, allowing a malicious user to potentially escalate their privileges to admin-level. To perform the following ex
ghsaosv
CVE-2022-31105P3UNKNOWN≥ 0, < 2.2.11≥ 2.3.0, < 2.3.6+1 more2024-08-21
CVE-2022-31105 Argo CD certificate verification is skipped for connections to OIDC providers in github.com/argoproj/argo-cd Argo CD certificate verification is skipped for connections to OIDC providers in github.com/argoproj/argo-cd Argo CD certificate verification is skipped for connections to OIDC providers in github.com/argoproj/argo-cd
osv
CVE-2025-59531P3HIGH≥ 2.0.0-rc1, < 2.14.202025-09-30
CVE-2025-59531 [HIGH] CWE-703 Unauthenticated argocd-server panic via a malicious Bitbucket-Server webhook payload Unauthenticated argocd-server panic via a malicious Bitbucket-Server webhook payload ### Summary Unpatched Argo CD versions are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. With the default configuration, no `webhook.bitbucketserver.secret` set, Argo CD’s /api/webhook endpoint will crash the entire argocd-s
ghsaosv
CVE-2025-59538P3HIGH≥ 2.9.0-rc1, < 2.14.202025-09-30
CVE-2025-59538 [HIGH] CWE-248 Argo CD Unauthenticated Remote DoS via malformed Azure DevOps git.push webhook Argo CD Unauthenticated Remote DoS via malformed Azure DevOps git.push webhook ### Summary In the default configuration, `webhook.azuredevops.username` and `webhook.azuredevops.password` not set, Argo CD’s /api/webhook endpoint crashes the entire argocd-server process when it receives an Azure DevOps Push event whose JSON array resource.refUpdates is empty. The slice index [0] is acces
ghsaosv
CVE-2022-31034P3HIGH≥ 0, < 2.1.16≥ 2.2.0, < 2.2.10+2 more2022-06-21
CVE-2022-31034 [HIGH] CWE-330 Insecure entropy in Argo CD's PKCE/Oauth2/OIDC params Insecure entropy in Argo CD's PKCE/Oauth2/OIDC params ### Impact All versions of Argo CD starting with v0.11.0 are vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or UI. The vulnerabilities are due to the use of insufficiently random values in parameters in Oauth2/OIDC login flows. In each case, using a relatively-predictable (time-based) seed in a non-cryptographically-se
ghsaosv
CVE-2025-59537P3HIGH≥ 2.0.0-rc1, < 2.14.202025-09-30
CVE-2025-59537 [HIGH] CWE-20 argo-cd vulnerable unauthenticated DoS via malformed Gogs webhook payload argo-cd vulnerable unauthenticated DoS via malformed Gogs webhook payload ### Summary Unpatched Argo CD versions are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. With the default configuration, no `webhook.gogs.secret` set, Argo CD’s /api/webhook endpoint will crash the entire argocd-server process when it receives a G
ghsaosv
CVE-2024-40634P3HIGH≥ 0, < 2.9.20≥ 2.10.0, < 2.10.15+1 more2024-07-22
CVE-2024-40634 [HIGH] CWE-400 Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint ### Summary This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation that leads to service disruption by triggering an Out Of Memory (OOM) kill.
ghsaosv
CVE-2024-22424P3HIGH≥ 0, < 2.7.16≥ 2.8.0-rc1, < 2.8.8+2 more2024-01-19
CVE-2024-22424 [HIGH] CWE-352 github.com/argoproj/argo-cd Cross-Site Request Forgery vulnerability github.com/argoproj/argo-cd Cross-Site Request Forgery vulnerability ### Impact The Argo CD API prior to versions 2.10-rc2, 2.9.4, 2.8.8, and 2.7.16 are vulnerable to a cross-server request forgery (CSRF) attack when the attacker has the ability to write HTML to a page on the same parent domain as Argo CD. A CSRF attack works by tricking an authenticated Argo CD user into loading a web page whic
ghsaosv
Github.Com Argoproj Argo-Cd V2 vulnerabilities | cvebase