cbcvebase.

Github.Com Argoproj Argo-Cd V2 vulnerabilities

46 known vulnerabilities affecting github.com/argoproj_argo-cd_v2.

Total CVEs
46
CISA KEV
0
Public exploits
2
Exploited in wild
1
Severity breakdown
CRITICAL8HIGH13MEDIUM16UNKNOWN9

Vulnerabilities

Page 2 of 3
CVE-2024-21661P3HIGH≥ 0, < 2.8.13≥ 2.9.0, < 2.9.9+1 more2024-03-18
CVE-2024-21661 [HIGH] CWE-787 Denial of Service (DoS) Vulnerability Due to Unsafe Array Modification in Multi-threaded Environment Denial of Service (DoS) Vulnerability Due to Unsafe Array Modification in Multi-threaded Environment ### Summary An attacker can exploit a critical flaw in the application to initiate a Denial of Service (DoS) attack, rendering the application inoperable and affecting all users. The issue arises from unsafe manipulation of an array in a multi-threaded environment.
ghsaosv
CVE-2024-41666P3HIGHCVSS 7.1≥ 2.6.0, < 2.9.21≥ 2.10.0, < 2.10.16+1 more2024-07-24
CVE-2024-41666 [HIGH] CWE-269 The Argo CD web terminal session does not handle the revocation of user permissions properly The Argo CD web terminal session does not handle the revocation of user permissions properly Argo CD v2.11.3 and before, discovering that even if the user's ```p, role:myrole, exec, create, */*, allow``` permissions are revoked, the user can still send any Websocket message, which allows the user to view sensitive information. Even though they shouldn't have such access. #
ghsaosv
CVE-2022-24730P3UNKNOWN≥ 0, < 2.1.11≥ 2.2.0, < 2.2.6+1 more2024-08-21
CVE-2022-24730 Path traversal and improper access control allows leaking out-of-bound files from Argo CD repo-server in github.com/argoproj/argo-cd Path traversal and improper access control allows leaking out-of-bound files from Argo CD repo-server in github.com/argoproj/argo-cd Path traversal and improper access control allows leaking out-of-bound files from Argo CD repo-server in github.com/argoproj/argo-cd
osv
CVE-2024-31990P3MEDIUM≥ 2.4.0, < 2.8.16≥ 2.9.0, < 2.9.12+1 more2024-04-15
CVE-2024-31990 [MEDIUM] CWE-863 Argo CD's API server does not enforce project sourceNamespaces Argo CD's API server does not enforce project sourceNamespaces ### Impact I can convince the UI to let me do things with an invalid Application. 1. Admin gives me `p, michael, applications, *, demo/*, allow`, where `demo` can just deploy to the `demo` namespace 2. Admin gives me AppProject `dev` which reconciles from ns `dev-apps` 3. Admin gives me `p, michael, applications, sync, dev/*, allow`, i.e.
ghsaosv
CVE-2023-40025P3HIGH≥ 2.6.0, < 2.6.14≥ 2.7.0, < 2.7.12+2 more2023-08-23
CVE-2023-40025 [HIGH] CWE-613 Argo CD web terminal session doesn't expire Argo CD web terminal session doesn't expire ### Impact All versions of Argo CD starting from v2.6.0 have a bug where open web terminal sessions do not expire. This bug allows users to send any websocket messages even if the token has already expired. The most straightforward scenario is when a user opens the terminal view and leaves it open for an extended period. This allows the user to view sensitive information even wh
ghsaosv
CVE-2023-40584P3MEDIUM≥ 2.4.0, < 2.6.15≥ 2.7.0, < 2.7.14+1 more2023-09-11
CVE-2023-40584 [MEDIUM] CWE-400 Argo CD repo-server Denial of Service vulnerability Argo CD repo-server Denial of Service vulnerability ### Impact All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, the said component extracts a user-controlled tar.gz file without validating the size of its inner files. As a result, a malicious, low-privileged user can send a malicious tar.gz file that exp
ghsaosv
CVE-2023-25163P3MEDIUM≥ 2.6.0-rc1, < 2.6.12023-02-08
CVE-2023-25163 [MEDIUM] CWE-532 Argo CD leaks repository credentials in user-facing error messages and in logs Argo CD leaks repository credentials in user-facing error messages and in logs ### Impact All versions of Argo CD starting with v2.6.0-rc1 have an output sanitization bug which leaks repository access credentials in error messages. These error messages are visible to the user, and they are logged. The error message is visible when a user attempts to create or update an Application via
ghsaosv
CVE-2023-50726P3MEDIUM≥ 2.9.0, < 2.9.8≥ 2.10.0, < 2.10.3+1 more2024-03-15
CVE-2023-50726 [MEDIUM] CWE-269 Users with `create` but not `override` privileges can perform local sync Users with `create` but not `override` privileges can perform local sync ### Impact "Local sync" is an Argo CD feature that allows developers to temporarily override an Application's manifests with locally-defined manifests. Use of the feature should generally be limited to highly-trusted users, since it allows the user to bypass any merge protections in git. An improper validation bug all
ghsaosv
CVE-2024-29893P3MEDIUM≥ 2.4.0, < 2.8.14≥ 2.9.0, < 2.9.10+1 more2024-03-29
CVE-2024-29893 [MEDIUM] CWE-400 ArgoCD's repo server has Uncontrolled Resource Consumption vulnerability ArgoCD's repo server has Uncontrolled Resource Consumption vulnerability ### Impact All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, it's possible to crash the repo server component through an out of memory error by pointing it to a malicious Helm registry. The loadRepoIndex() functio
ghsaosv
CVE-2025-23216P4MEDIUM≥ 2.13.0, < 2.13.4≥ 2.12.0, < 2.12.10+1 more2025-01-30
CVE-2025-23216 [MEDIUM] CWE-200 Argo CD does not scrub secret values from patch errors Argo CD does not scrub secret values from patch errors ### Impact A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. The vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to
ghsaosv
CVE-2022-31016P4MEDIUM≥ 0, < 2.1.16≥ 2.2.0, < 2.2.10+2 more2022-06-21
CVE-2022-31016 [MEDIUM] CWE-400 DoS through large manifest files in Argo CD DoS through large manifest files in Argo CD ### Impact All versions of Argo CD starting with v0.7.0 are vulnerable to an uncontrolled memory consumption bug, allowing an authorized malicious user to crash the [repo-server](https://argo-cd.readthedocs.io/en/stable/operator-manual/architecture/#repository-server) service. The repo-server is a critical component of Argo CD, so crashing the repo-server effectively denies c
ghsaosv
CVE-2024-32476P4MEDIUM≥ 2.10.0, < 2.10.8≥ 2.9.0, < 2.9.13+1 more2024-04-26
CVE-2024-32476 [MEDIUM] CWE-400 Argo CD vulnerable to a Denial of Service via malicious jqPathExpressions in ignoreDifferences Argo CD vulnerable to a Denial of Service via malicious jqPathExpressions in ignoreDifferences ### Impact DoS vuln via OOM using jq in ignoreDifferences. ``` ignoreDifferences: - group: apps kind: Deployment jqPathExpressions: - 'until(true == false; [.] + [1])' ``` ### Patches A patch for this vulnerability has been released in the following Argo CD versions: v2.10.
ghsaosv
CVE-2025-55191P4MEDIUM≥ 2.1.0, < 2.14.202025-09-30
CVE-2025-55191 [MEDIUM] CWE-362 Repository Credentials Race Condition Crashes Argo CD Server Repository Credentials Race Condition Crashes Argo CD Server ### Summary A race condition in the repository credentials handler can cause the Argo CD server to panic and crash when concurrent operations are performed on the same repository URL. ### Details The vulnerability is located in numerous repository related handlers in the `util/db/repository_secrets.go` file. For example, in the `secretToRepo
ghsaosv
CVE-2022-24731P4UNKNOWN≥ 0, < 2.1.11≥ 2.2.0, < 2.2.6+1 more2024-08-21
CVE-2022-24731 Path traversal allows leaking out-of-bound files from Argo CD repo-server in github.com/argoproj/argo-cd Path traversal allows leaking out-of-bound files from Argo CD repo-server in github.com/argoproj/argo-cd Path traversal allows leaking out-of-bound files from Argo CD repo-server in github.com/argoproj/argo-cd
osv
CVE-2022-31102P4UNKNOWN≥ 2.3.0, < 2.3.6≥ 2.4.0, < 2.4.52024-08-21
CVE-2022-31102 Argo CD SSO users vulnerable to Cross-site Scripting in github.com/argoproj/argo-cd Argo CD SSO users vulnerable to Cross-site Scripting in github.com/argoproj/argo-cd Argo CD SSO users vulnerable to Cross-site Scripting in github.com/argoproj/argo-cd
osv
CVE-2025-47933P4CRITICAL≥ 2.0.0-rc3, < 2.13.8≥ 2.14.0-rc1, < 2.14.132025-05-28
CVE-2025-47933 [CRITICAL] CWE-79 Argo CD allows cross-site scripting on repositories page Argo CD allows cross-site scripting on repositories page ### Impact This vulnerability allows an attacker to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, and deleting Kubernetes resources. Due to the improper filtering of URL protocols in the repository page, an attacker can achieve cross-site scripting with permission to edit the repository. In `ui/src/app/s
ghsaosv
CVE-2022-31035P4CRITICAL≥ 0, < 2.1.16≥ 2.2.0, < 2.2.10+2 more2022-06-21
CVE-2022-31035 [CRITICAL] CWE-79 Argo CD's external URLs for Deployments can include JavaScript Argo CD's external URLs for Deployments can include JavaScript ### Impact All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a `javascript:` link in the UI. When clicked by a victim user, the script will execute with the victim's permissions (up to and including admin). The script would be capable of doing an
ghsaosv
CVE-2024-28175P4CRITICAL≥ 2.9.0, < 2.9.8≥ 2.10.0, < 2.10.3+1 more2024-03-15
CVE-2024-28175 [CRITICAL] CWE-79 Cross-site scripting on application summary component Cross-site scripting on application summary component ### Summary Due to the improper URL protocols filtering of links specified in the `link.argocd.argoproj.io` annotations in the application summary component, an attacker can achieve cross-site scripting with elevated permissions. ### Impact All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing
ghsaosv
CVE-2022-41354P4MEDIUM≥ 2.5.0, < 2.5.16≥ 2.6.0, < 2.6.7+1 more2023-03-23
CVE-2022-41354 [MEDIUM] CWE-203 Argo CD authenticated but unauthorized users may enumerate Application names via the API Argo CD authenticated but unauthorized users may enumerate Application names via the API ### Impact All versions of Argo CD starting with v0.5.0 are vulnerable to an information disclosure bug allowing unauthorized users to enumerate application names by inspecting API error messages. An attacker could use the discovered application names as the starting point of another att
ghsaosv
CVE-2022-31036P4MEDIUM≥ 0, < 2.1.16≥ 2.2.0, < 2.2.10+2 more2022-06-21
CVE-2022-31036 [MEDIUM] CWE-20 Symlink following allows leaking out-of-bounds YAML files from Argo CD repo-server Symlink following allows leaking out-of-bounds YAML files from Argo CD repo-server ### Impact All unpatched versions of Argo CD starting with v1.3.0 are vulnerable to a symlink following bug allowing a malicious user with repository write access to leak sensitive YAML files from Argo CD's repo-server. A malicious Argo CD user with write access for a repository which is (or may be)
ghsaosv
Github.Com Argoproj Argo-Cd V2 vulnerabilities | cvebase