Search criteria
162 vulnerabilities found for argo_cd by argoproj
FKIE_CVE-2025-59538
Vulnerability from fkie_nvd - Published: 2025-10-01 21:16 - Updated: 2025-10-07 14:28
Severity ?
Summary
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. For versions 2.9.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.6 and 3.0.17, when the webhook.azuredevops.username and webhook.azuredevops.password are not set in the default configuration, the /api/webhook endpoint crashes the entire argocd-server process when it receives an Azure DevOps Push event whose JSON array resource.refUpdates is empty. The slice index [0] is accessed without a length check, causing an index-out-of-range panic. A single unauthenticated HTTP POST is enough to kill the process. This issue is resolved in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3811C238-65B6-4B66-A82C-112ED72F66C9",
"versionEndExcluding": "2.14.20",
"versionStartIncluding": "2.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E7FEAEBF-40B8-40E4-B34B-2785B0FEAFEB",
"versionEndExcluding": "3.0.19",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AFF4E847-D3D6-457A-A47B-98799D28E20E",
"versionEndExcluding": "3.1.8",
"versionStartIncluding": "3.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:argoproj:argo_cd:3.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "247C0721-E494-4732-BF53-F249C574A702",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. For versions 2.9.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.6 and 3.0.17, when the webhook.azuredevops.username and webhook.azuredevops.password are not set in the default configuration, the /api/webhook endpoint crashes the entire argocd-server process when it receives an Azure DevOps Push event whose JSON array resource.refUpdates is empty. The slice index [0] is accessed without a length check, causing an index-out-of-range panic. A single unauthenticated HTTP POST is enough to kill the process. This issue is resolved in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19."
}
],
"id": "CVE-2025-59538",
"lastModified": "2025-10-07T14:28:49.880",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-10-01T21:16:43.800",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/argoproj/argo-cd/commit/1a023f1ca7fe4ec942b4b6696804988d5a632baf"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-gpx4-37g2-c8pv"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-gpx4-37g2-c8pv"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-248"
},
{
"lang": "en",
"value": "CWE-703"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-59537
Vulnerability from fkie_nvd - Published: 2025-10-01 21:16 - Updated: 2025-10-07 14:34
Severity ?
Summary
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. With the default configuration, no webhook.gogs.secret set, Argo CD’s /api/webhook endpoint will crash the entire argocd-server process when it receives a Gogs push event whose JSON field commits[].repo is not set or is null. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/argoproj/argo-cd/commit/761fc27068d2d4cd24e1f784eb2a9033b5ee7f43 | Patch | |
| security-advisories@github.com | https://github.com/argoproj/argo-cd/security/advisories/GHSA-wp4p-9pxh-cgx2 | Exploit, Mitigation, Vendor Advisory | |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://github.com/argoproj/argo-cd/security/advisories/GHSA-wp4p-9pxh-cgx2 | Exploit, Mitigation, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CDA16487-4630-4646-9952-32E096B64251",
"versionEndIncluding": "1.8.7",
"versionStartIncluding": "1.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FD4B38D5-4CEC-4C24-AD81-92B9DA4426AC",
"versionEndExcluding": "2.14.20",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E7FEAEBF-40B8-40E4-B34B-2785B0FEAFEB",
"versionEndExcluding": "3.0.19",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AFF4E847-D3D6-457A-A47B-98799D28E20E",
"versionEndExcluding": "3.1.8",
"versionStartIncluding": "3.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:argoproj:argo_cd:3.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "247C0721-E494-4732-BF53-F249C574A702",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. With the default configuration, no webhook.gogs.secret set, Argo CD\u2019s /api/webhook endpoint will crash the entire argocd-server process when it receives a Gogs push event whose JSON field commits[].repo is not set or is null. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19."
}
],
"id": "CVE-2025-59537",
"lastModified": "2025-10-07T14:34:45.730",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-10-01T21:16:43.577",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/argoproj/argo-cd/commit/761fc27068d2d4cd24e1f784eb2a9033b5ee7f43"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-wp4p-9pxh-cgx2"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-wp4p-9pxh-cgx2"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
},
{
"lang": "en",
"value": "CWE-476"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-476"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2025-59531
Vulnerability from fkie_nvd - Published: 2025-10-01 21:16 - Updated: 2025-10-07 14:39
Severity ?
Summary
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. Without a configured webhook.bitbucketserver.secret, Argo CD's /api/webhook endpoint crashes when receiving a malformed Bitbucket Server payload (non-array repository.links.clone field). A single unauthenticated request triggers CrashLoopBackOff, and targeting all replicas causes complete API outage. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/argoproj/argo-cd/commit/5c466a4e39802e059e75c0008ae7b7b8e842538f | Patch | |
| security-advisories@github.com | https://github.com/argoproj/argo-cd/security/advisories/GHSA-f9gq-prrc-hrhc | Exploit, Mitigation, Vendor Advisory | |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://github.com/argoproj/argo-cd/security/advisories/GHSA-f9gq-prrc-hrhc | Exploit, Mitigation, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CDA16487-4630-4646-9952-32E096B64251",
"versionEndIncluding": "1.8.7",
"versionStartIncluding": "1.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FD4B38D5-4CEC-4C24-AD81-92B9DA4426AC",
"versionEndExcluding": "2.14.20",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E7FEAEBF-40B8-40E4-B34B-2785B0FEAFEB",
"versionEndExcluding": "3.0.19",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AFF4E847-D3D6-457A-A47B-98799D28E20E",
"versionEndExcluding": "3.1.8",
"versionStartIncluding": "3.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:argoproj:argo_cd:3.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "247C0721-E494-4732-BF53-F249C574A702",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. Without a configured webhook.bitbucketserver.secret, Argo CD\u0027s /api/webhook endpoint crashes when receiving a malformed Bitbucket Server payload (non-array repository.links.clone field). A single unauthenticated request triggers CrashLoopBackOff, and targeting all replicas causes complete API outage. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19."
}
],
"id": "CVE-2025-59531",
"lastModified": "2025-10-07T14:39:29.373",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-10-01T21:16:43.377",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/argoproj/argo-cd/commit/5c466a4e39802e059e75c0008ae7b7b8e842538f"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-f9gq-prrc-hrhc"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-f9gq-prrc-hrhc"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-703"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-55191
Vulnerability from fkie_nvd - Published: 2025-09-30 23:15 - Updated: 2025-10-07 13:11
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
5.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
5.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions between 2.1.0 and 2.14.19, 3.2.0-rc1, 3.1.0-rc1 through 3.1.7, and 3.0.0-rc1 through 3.0.18 contain a race condition in the repository credentials handler that can cause the Argo CD server to panic and crash when concurrent operations are performed on the same repository URL. The vulnerability is located in numerous repository related handlers in the util/db/repository_secrets.go file. A valid API token with repositories resource permissions (create, update, or delete actions) is required to trigger the race condition. This vulnerability causes the entire Argo CD server to crash and become unavailable. Attackers can repeatedly and continuously trigger the race condition to maintain a denial-of-service state, disrupting all GitOps operations. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "789A8BF2-A057-44C9-96AC-EEAEBA826F8A",
"versionEndExcluding": "2.14.20",
"versionStartIncluding": "2.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E7FEAEBF-40B8-40E4-B34B-2785B0FEAFEB",
"versionEndExcluding": "3.0.19",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AFF4E847-D3D6-457A-A47B-98799D28E20E",
"versionEndExcluding": "3.1.8",
"versionStartIncluding": "3.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:argoproj:argo_cd:3.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "247C0721-E494-4732-BF53-F249C574A702",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions between 2.1.0 and 2.14.19, 3.2.0-rc1, 3.1.0-rc1 through 3.1.7, and 3.0.0-rc1 through 3.0.18 contain a race condition in the repository credentials handler that can cause the Argo CD server to panic and crash when concurrent operations are performed on the same repository URL. The vulnerability is located in numerous repository related handlers in the util/db/repository_secrets.go file. A valid API token with repositories resource permissions (create, update, or delete actions) is required to trigger the race condition. This vulnerability causes the entire Argo CD server to crash and become unavailable. Attackers can repeatedly and continuously trigger the race condition to maintain a denial-of-service state, disrupting all GitOps operations. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19."
}
],
"id": "CVE-2025-55191",
"lastModified": "2025-10-07T13:11:21.697",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-09-30T23:15:29.533",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/argoproj/argo-cd/commit/701bc50d01c752cad96185f848088d287a97c7b7"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/argoproj/argo-cd/pull/6103"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-g88p-r42r-ppp9"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-362"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-55190
Vulnerability from fkie_nvd - Published: 2025-09-04 23:15 - Updated: 2025-09-19 15:20
Severity ?
Summary
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with project-level permissions are able to retrieve sensitive repository credentials (usernames, passwords) through the project details API endpoint, even when the token only has standard application management permissions and no explicit access to secrets. This vulnerability does not only affect project-level permissions. Any token with project get permissions is also vulnerable, including global permissions such as: `p, role/user, projects, get, *, allow`. This issue is fixed in versions 2.13.9, 2.14.16, 3.0.14 and 3.1.2.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "509DC36B-0F94-49A8-9FCC-759608EE674A",
"versionEndExcluding": "2.13.9",
"versionStartIncluding": "2.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "94CAAB98-4756-4D4C-9D65-6AC761182AF2",
"versionEndExcluding": "2.14.16",
"versionStartIncluding": "2.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F787DAD3-5CDA-437F-9234-730303893260",
"versionEndExcluding": "3.0.14",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EF17F8A2-1829-49D6-BD12-D608DA1A6EB0",
"versionEndExcluding": "3.1.2",
"versionStartIncluding": "3.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with project-level permissions are able to retrieve sensitive repository credentials (usernames, passwords) through the project details API endpoint, even when the token only has standard application management permissions and no explicit access to secrets. This vulnerability does not only affect project-level permissions. Any token with project get permissions is also vulnerable, including global permissions such as: `p, role/user, projects, get, *, allow`. This issue is fixed in versions 2.13.9, 2.14.16, 3.0.14 and 3.1.2."
}
],
"id": "CVE-2025-55190",
"lastModified": "2025-09-19T15:20:53.823",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-09-04T23:15:32.400",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/argoproj/argo-cd/commit/e8f86101f5378662ae6151ce5c3a76e9141900e8"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-786q-9hcg-v9ff"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-47933
Vulnerability from fkie_nvd - Published: 2025-05-29 20:15 - Updated: 2025-08-27 02:28
Severity ?
9.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.13.8, 2.14.13, and 3.0.4, an attacker can perform arbitrary actions on behalf of the victim via the API. Due to the improper filtering of URL protocols in the repository page, an attacker can achieve cross-site scripting with permission to edit the repository. This issue has been patched in versions 2.13.8, 2.14.13, and 3.0.4.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FEB6AB4D-CAF5-43BF-9362-35FA59D22980",
"versionEndExcluding": "2.13.8",
"versionStartIncluding": "1.2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D8AA903B-D9F7-4678-B437-2210CE881CD0",
"versionEndExcluding": "2.14.13",
"versionStartIncluding": "2.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E53FAABC-D715-451D-ABAE-F04B19AA99CD",
"versionEndExcluding": "3.0.4",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:argoproj:argo_cd:1.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "BA998D51-81E0-475F-8ABE-1CB42F848B8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:argoproj:argo_cd:1.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "47306D25-C476-4E30-BEA7-0151CF31F5D7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.13.8, 2.14.13, and 3.0.4, an attacker can perform arbitrary actions on behalf of the victim via the API. Due to the improper filtering of URL protocols in the repository page, an attacker can achieve cross-site scripting with permission to edit the repository. This issue has been patched in versions 2.13.8, 2.14.13, and 3.0.4."
},
{
"lang": "es",
"value": "Argo CD es una herramienta declarativa de entrega continua de GitOps para Kubernetes. En versiones anteriores a las 2.13.8, 2.14.13 y 3.0.4, un atacante pod\u00eda realizar acciones arbitrarias en nombre de la v\u00edctima a trav\u00e9s de la API. Debido al filtrado incorrecto de los protocolos de URL en la p\u00e1gina del repositorio, un atacante puede realizar ataques de cross-site scripting con permiso para editar el repositorio. Este problema se ha corregido en las versiones 2.13.8, 2.14.13 y 3.0.4."
}
],
"id": "CVE-2025-47933",
"lastModified": "2025-08-27T02:28:01.647",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-05-29T20:15:27.473",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/argoproj/argo-cd/commit/a5b4041a79c54bc7b3d090805d070bcdb9a9e4d1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2hj5-g64g-fp6p"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-23216
Vulnerability from fkie_nvd - Published: 2025-01-30 16:15 - Updated: 2025-06-06 15:44
Severity ?
6.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
6.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
6.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Summary
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. The vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data. The vulnerability is fixed in v2.13.4, v2.12.10, and v2.11.13.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C1D748B7-084E-4C91-804D-82FC2E0E2E26",
"versionEndExcluding": "2.11.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "03CF58BD-4241-43D1-8319-B6130B558B40",
"versionEndExcluding": "2.12.10",
"versionStartIncluding": "2.12.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B5AFD099-E58F-40C6-80AA-ACCC68F04FD5",
"versionEndExcluding": "2.13.4",
"versionStartIncluding": "2.13.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. The vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data. The vulnerability is fixed in v2.13.4, v2.12.10, and v2.11.13."
},
{
"lang": "es",
"value": "Argo CD es una herramienta declarativa de entrega continua de GitOps para Kubernetes. Se descubri\u00f3 una vulnerabilidad en Argo CD que expon\u00eda valores secretos en mensajes de error y en la vista de diferencias cuando se sincronizaba un recurso secreto de Kubernetes no v\u00e1lido desde un repositorio. La vulnerabilidad supone que el usuario tiene acceso de escritura al repositorio y puede explotarla, ya sea intencional o involuntariamente, al confirmar un secreto no v\u00e1lido en el repositorio y activar una sincronizaci\u00f3n. Una vez explotada, cualquier usuario con acceso de lectura a Argo CD puede ver los datos secretos expuestos. La vulnerabilidad se corrigi\u00f3 en las versiones v2.13.4, v2.12.10 y v2.11.13."
}
],
"id": "CVE-2025-23216",
"lastModified": "2025-06-06T15:44:21.280",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 4.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 4.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-01-30T16:15:31.473",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/argoproj/argo-cd/commit/6f5537bdf15ddbaa0f27a1a678632ff0743e4107"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-47g2-qmh2-749v"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c5e6d73ddca"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
},
{
"lang": "en",
"value": "CWE-209"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-209"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-41666
Vulnerability from fkie_nvd - Published: 2024-07-24 18:15 - Updated: 2025-01-09 16:54
Severity ?
4.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD has a Web-based terminal that allows users to get a shell inside a running pod, just as they would with kubectl exec. Starting in version 2.6.0, when the administrator enables this function and grants permission to the user `p, role:myrole, exec, create, */*, allow`, even if the user revokes this permission, the user can still perform operations in the container, as long as the user keeps the terminal view open for a long time. Although the token expiration and revocation of the user are fixed, however, the fix does not address the situation of revocation of only user `p, role:myrole, exec, create, */*, allow` permissions, which may still lead to the leakage of sensitive information. A patch for this vulnerability has been released in Argo CD versions 2.11.7, 2.10.16, and 2.9.21.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "16C03FB1-4E29-4BB9-8157-4FDA0A57DADC",
"versionEndExcluding": "2.9.21",
"versionStartIncluding": "2.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EFCD9B49-F26A-4AA7-A311-1D29DA39CDA1",
"versionEndExcluding": "2.10.16",
"versionStartIncluding": "2.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D218BAA2-2CE3-48E4-B633-840741F21363",
"versionEndExcluding": "2.11.7",
"versionStartIncluding": "2.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD has a Web-based terminal that allows users to get a shell inside a running pod, just as they would with kubectl exec. Starting in version 2.6.0, when the administrator enables this function and grants permission to the user `p, role:myrole, exec, create, */*, allow`, even if the user revokes this permission, the user can still perform operations in the container, as long as the user keeps the terminal view open for a long time. Although the token expiration and revocation of the user are fixed, however, the fix does not address the situation of revocation of only user `p, role:myrole, exec, create, */*, allow` permissions, which may still lead to the leakage of sensitive information. A patch for this vulnerability has been released in Argo CD versions 2.11.7, 2.10.16, and 2.9.21."
},
{
"lang": "es",
"value": "Argo CD es una herramienta declarativa de entrega continua de GitOps para Kubernetes. Argo CD tiene una terminal basada en web que permite a los usuarios obtener un shell dentro de un pod en ejecuci\u00f3n, tal como lo har\u00edan con kubectl exec. A partir de la versi\u00f3n 2.6.0, cuando el administrador habilita esta funci\u00f3n y otorga permiso al usuario `p, role:myrole, exec, create, */*, enable`, incluso si el usuario revoca este permiso, el usuario a\u00fan puede realizar operaciones en el contenedor, siempre y cuando el usuario mantenga abierta la vista del terminal durante mucho tiempo. Aunque la caducidad del token y la revocaci\u00f3n del usuario est\u00e1n arregladas, la soluci\u00f3n no aborda la situaci\u00f3n de revocaci\u00f3n de permisos \u00fanicamente del usuario `p, role:myrole, exec, create, */*, enable`, lo que a\u00fan puede conducir a la filtraci\u00f3n de informaci\u00f3n sensible. Se lanz\u00f3 un parche para esta vulnerabilidad en las versiones 2.11.7, 2.10.16 y 2.9.21 de Argo CD."
}
],
"id": "CVE-2024-41666",
"lastModified": "2025-01-09T16:54:08.037",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-07-24T18:15:05.090",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit"
],
"url": "https://drive.google.com/file/d/1Fynj5Sho8Lf8CETqsNXZyPKlTDdmgJuN/view?usp=sharing"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/argoproj/argo-cd/commit/05edb2a9ca48f0f10608c1b49fbb0cf7164f6476"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/argoproj/argo-cd/commit/e96f32d233504101ddac028a5bf8117433d333d6"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/argoproj/argo-cd/commit/ef535230d8bd8ad7b18aab1ea1063e9751d348c4"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-v8wx-v5jq-qhhw"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://drive.google.com/file/d/1Fynj5Sho8Lf8CETqsNXZyPKlTDdmgJuN/view?usp=sharing"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/argoproj/argo-cd/commit/05edb2a9ca48f0f10608c1b49fbb0cf7164f6476"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/argoproj/argo-cd/commit/e96f32d233504101ddac028a5bf8117433d333d6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/argoproj/argo-cd/commit/ef535230d8bd8ad7b18aab1ea1063e9751d348c4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-v8wx-v5jq-qhhw"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-40634
Vulnerability from fkie_nvd - Published: 2024-07-22 18:15 - Updated: 2025-01-09 16:55
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation that leads to service disruption by triggering an Out Of Memory (OOM) kill. The issue poses a high risk to the availability of Argo CD deployments. This vulnerability is fixed in 2.11.6, 2.10.15, and 2.9.20.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1C70E0BA-D4D0-4C05-A0F1-95E13A68BFDB",
"versionEndExcluding": "2.9.20",
"versionStartIncluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E18329BB-8F90-4E14-A20B-FF47D16B2D7D",
"versionEndExcluding": "2.10.15",
"versionStartIncluding": "2.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3E953865-3609-4D15-BD82-8A57A3E2EAB5",
"versionEndExcluding": "2.11.6",
"versionStartIncluding": "2.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation that leads to service disruption by triggering an Out Of Memory (OOM) kill. The issue poses a high risk to the availability of Argo CD deployments. This vulnerability is fixed in 2.11.6, 2.10.15, and 2.9.20.\n"
},
{
"lang": "es",
"value": "Argo CD es una herramienta declarativa de entrega continua de GitOps para Kubernetes. Este informe detalla una vulnerabilidad de seguridad en Argo CD, donde un atacante no autenticado puede enviar un gran payload JSON especialmente manipulado al endpoint /api/webhook, lo que provoca una asignaci\u00f3n excesiva de memoria que conduce a la interrupci\u00f3n del servicio al desencadenar un Out Of Memory (OOM) kill. El problema plantea un alto riesgo para la disponibilidad de las implementaciones de Argo CD. Esta vulnerabilidad se solucion\u00f3 en 2.11.6, 2.10.15 y 2.9.20."
}
],
"id": "CVE-2024-40634",
"lastModified": "2025-01-09T16:55:20.183",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-07-22T18:15:03.770",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/argoproj/argo-cd/commit/46c0c0b64deaab1ece70cb701030b76668ad0cdc"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/argoproj/argo-cd/commit/540e3a57b90eb3655db54793332fac86bcc38b36"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/argoproj/argo-cd/commit/d881ee78949e23160a0b280bb159e4d3d625a4df"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jmvp-698c-4x3w"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/argoproj/argo-cd/commit/46c0c0b64deaab1ece70cb701030b76668ad0cdc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/argoproj/argo-cd/commit/540e3a57b90eb3655db54793332fac86bcc38b36"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/argoproj/argo-cd/commit/d881ee78949e23160a0b280bb159e4d3d625a4df"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jmvp-698c-4x3w"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-37152
Vulnerability from fkie_nvd - Published: 2024-06-06 16:15 - Updated: 2024-11-21 09:23
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "06BC49C2-45E8-4353-A477-397B5FED6A01",
"versionEndExcluding": "2.9.17",
"versionStartIncluding": "2.9.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9572F68B-9CCC-4B52-90D8-07FDDDBD3D13",
"versionEndExcluding": "2.10.12",
"versionStartIncluding": "2.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FF3F3CB7-820D-40C8-AAEA-F4D83F7B7BD9",
"versionEndExcluding": "2.11.3",
"versionStartIncluding": "2.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17."
},
{
"lang": "es",
"value": "Argo CD es una herramienta declarativa de entrega continua de GitOps para Kubernetes. La vulnerabilidad permite el acceso no autorizado a la configuraci\u00f3n confidencial expuesta por el endpoint /api/v1/settings sin autenticaci\u00f3n. Todas las configuraciones confidenciales est\u00e1n ocultas excepto el patr\u00f3n de contrase\u00f1a. Esta vulnerabilidad se solucion\u00f3 en 2.11.3, 2.10.12 y 2.9.17."
}
],
"id": "CVE-2024-37152",
"lastModified": "2024-11-21T09:23:18.570",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-06-06T16:15:13.190",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/argoproj/argo-cd/commit/256d90178b11b04bc8174d08d7b663a2a7b1771b"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-87p9-x75h-p4j2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/argoproj/argo-cd/commit/256d90178b11b04bc8174d08d7b663a2a7b1771b"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-87p9-x75h-p4j2"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
},
{
"lang": "en",
"value": "CWE-306"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-306"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2025-59538 (GCVE-0-2025-59538)
Vulnerability from cvelistv5 – Published: 2025-10-01 21:09 – Updated: 2025-10-02 15:54
VLAI?
Title
Argo CD is Vulnerable to Unauthenticated Remote DoS via malformed Azure DevOps git.push webhook
Summary
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. For versions 2.9.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.6 and 3.0.17, when the webhook.azuredevops.username and webhook.azuredevops.password are not set in the default configuration, the /api/webhook endpoint crashes the entire argocd-server process when it receives an Azure DevOps Push event whose JSON array resource.refUpdates is empty. The slice index [0] is accessed without a length check, causing an index-out-of-range panic. A single unauthenticated HTTP POST is enough to kill the process. This issue is resolved in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.
Severity ?
7.5 (High)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59538",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-02T15:32:22.380180Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T15:54:11.490Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-gpx4-37g2-c8pv"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "argo-cd",
"vendor": "argoproj",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.9.0-rc1, \u003c 2.14.20"
},
{
"status": "affected",
"version": "\u003e= 3.2.0-rc1, \u003c 3.2.0-rc2"
},
{
"status": "affected",
"version": "\u003e= 3.1.0-rc1, \u003c 3.1.8"
},
{
"status": "affected",
"version": "\u003e= 3.0.0-rc1, \u003c 3.0.19"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. For versions 2.9.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.6 and 3.0.17, when the webhook.azuredevops.username and webhook.azuredevops.password are not set in the default configuration, the /api/webhook endpoint crashes the entire argocd-server process when it receives an Azure DevOps Push event whose JSON array resource.refUpdates is empty. The slice index [0] is accessed without a length check, causing an index-out-of-range panic. A single unauthenticated HTTP POST is enough to kill the process. This issue is resolved in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-248",
"description": "CWE-248: Uncaught Exception",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-703",
"description": "CWE-703: Improper Check or Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T21:09:08.870Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-gpx4-37g2-c8pv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-gpx4-37g2-c8pv"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/1a023f1ca7fe4ec942b4b6696804988d5a632baf",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/argo-cd/commit/1a023f1ca7fe4ec942b4b6696804988d5a632baf"
}
],
"source": {
"advisory": "GHSA-gpx4-37g2-c8pv",
"discovery": "UNKNOWN"
},
"title": "Argo CD is Vulnerable to Unauthenticated Remote DoS via malformed Azure DevOps git.push webhook"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59538",
"datePublished": "2025-10-01T21:09:08.870Z",
"dateReserved": "2025-09-17T17:04:20.373Z",
"dateUpdated": "2025-10-02T15:54:11.490Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59537 (GCVE-0-2025-59537)
Vulnerability from cvelistv5 – Published: 2025-10-01 21:01 – Updated: 2025-10-02 15:54
VLAI?
Title
argo-cd is vulnerable to unauthenticated DoS attack via malformed Gogs webhook payload
Summary
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. With the default configuration, no webhook.gogs.secret set, Argo CD’s /api/webhook endpoint will crash the entire argocd-server process when it receives a Gogs push event whose JSON field commits[].repo is not set or is null. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.
Severity ?
7.5 (High)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59537",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-02T15:35:13.081671Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T15:54:17.919Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-wp4p-9pxh-cgx2"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "argo-cd",
"vendor": "argoproj",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.2.0, \u003c= 1.8.7"
},
{
"status": "affected",
"version": "\u003e= 2.0.0-rc1, \u003c 2.14.20"
},
{
"status": "affected",
"version": "\u003e= 3.2.0-rc1, \u003c 3.2.0-rc2"
},
{
"status": "affected",
"version": "\u003e= 3.1.0-rc1, \u003c 3.1.8"
},
{
"status": "affected",
"version": "\u003e= 3.0.0-rc1, \u003c 3.0.19"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. With the default configuration, no webhook.gogs.secret set, Argo CD\u2019s /api/webhook endpoint will crash the entire argocd-server process when it receives a Gogs push event whose JSON field commits[].repo is not set or is null. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476: NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T21:01:36.519Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-wp4p-9pxh-cgx2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-wp4p-9pxh-cgx2"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/761fc27068d2d4cd24e1f784eb2a9033b5ee7f43",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/argo-cd/commit/761fc27068d2d4cd24e1f784eb2a9033b5ee7f43"
}
],
"source": {
"advisory": "GHSA-wp4p-9pxh-cgx2",
"discovery": "UNKNOWN"
},
"title": "argo-cd is vulnerable to unauthenticated DoS attack via malformed Gogs webhook payload"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59537",
"datePublished": "2025-10-01T21:01:36.519Z",
"dateReserved": "2025-09-17T17:04:20.373Z",
"dateUpdated": "2025-10-02T15:54:17.919Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59531 (GCVE-0-2025-59531)
Vulnerability from cvelistv5 – Published: 2025-10-01 20:49 – Updated: 2025-10-02 15:54
VLAI?
Title
Unauthenticated argocd-server panic via a malicious Bitbucket-Server webhook payload
Summary
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. Without a configured webhook.bitbucketserver.secret, Argo CD's /api/webhook endpoint crashes when receiving a malformed Bitbucket Server payload (non-array repository.links.clone field). A single unauthenticated request triggers CrashLoopBackOff, and targeting all replicas causes complete API outage. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.
Severity ?
7.5 (High)
CWE
- CWE-703 - Improper Check or Handling of Exceptional Conditions
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59531",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-02T15:35:32.474779Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T15:54:24.950Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-f9gq-prrc-hrhc"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "argo-cd",
"vendor": "argoproj",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.2.0, \u003c= 1.8.7"
},
{
"status": "affected",
"version": "\u003e= 2.0.0-rc1, \u003c 2.14.20"
},
{
"status": "affected",
"version": "\u003e= 3.2.0-rc1, \u003c 3.2.0-rc2"
},
{
"status": "affected",
"version": "\u003e= 3.1.0-rc1, \u003c 3.1.8"
},
{
"status": "affected",
"version": "\u003e= 3.0.0-rc1, \u003c 3.0.19"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. Without a configured webhook.bitbucketserver.secret, Argo CD\u0027s /api/webhook endpoint crashes when receiving a malformed Bitbucket Server payload (non-array repository.links.clone field). A single unauthenticated request triggers CrashLoopBackOff, and targeting all replicas causes complete API outage. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-703",
"description": "CWE-703: Improper Check or Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T20:49:35.428Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-f9gq-prrc-hrhc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-f9gq-prrc-hrhc"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/5c466a4e39802e059e75c0008ae7b7b8e842538f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/argo-cd/commit/5c466a4e39802e059e75c0008ae7b7b8e842538f"
}
],
"source": {
"advisory": "GHSA-f9gq-prrc-hrhc",
"discovery": "UNKNOWN"
},
"title": "Unauthenticated argocd-server panic via a malicious Bitbucket-Server webhook payload"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59531",
"datePublished": "2025-10-01T20:49:35.428Z",
"dateReserved": "2025-09-17T17:04:20.373Z",
"dateUpdated": "2025-10-02T15:54:24.950Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-55191 (GCVE-0-2025-55191)
Vulnerability from cvelistv5 – Published: 2025-09-30 22:52 – Updated: 2025-10-06 18:32
VLAI?
Title
Repository Credentials Race Condition Crashes Argo CD Server
Summary
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions between 2.1.0 and 2.14.19, 3.2.0-rc1, 3.1.0-rc1 through 3.1.7, and 3.0.0-rc1 through 3.0.18 contain a race condition in the repository credentials handler that can cause the Argo CD server to panic and crash when concurrent operations are performed on the same repository URL. The vulnerability is located in numerous repository related handlers in the util/db/repository_secrets.go file. A valid API token with repositories resource permissions (create, update, or delete actions) is required to trigger the race condition. This vulnerability causes the entire Argo CD server to crash and become unavailable. Attackers can repeatedly and continuously trigger the race condition to maintain a denial-of-service state, disrupting all GitOps operations. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.
Severity ?
6.5 (Medium)
CWE
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55191",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-06T18:32:25.830089Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-06T18:32:34.110Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "argo-cd",
"vendor": "argoproj",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.1.0, \u003c 2.14.20"
},
{
"status": "affected",
"version": "= 3.2.0-rc1"
},
{
"status": "affected",
"version": "\u003e= 3.1.0-rc1, \u003c 3.1.8"
},
{
"status": "affected",
"version": "\u003e= 3.0.0-rc1, \u003c 3.0.19"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions between 2.1.0 and 2.14.19, 3.2.0-rc1, 3.1.0-rc1 through 3.1.7, and 3.0.0-rc1 through 3.0.18 contain a race condition in the repository credentials handler that can cause the Argo CD server to panic and crash when concurrent operations are performed on the same repository URL. The vulnerability is located in numerous repository related handlers in the util/db/repository_secrets.go file. A valid API token with repositories resource permissions (create, update, or delete actions) is required to trigger the race condition. This vulnerability causes the entire Argo CD server to crash and become unavailable. Attackers can repeatedly and continuously trigger the race condition to maintain a denial-of-service state, disrupting all GitOps operations. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-30T22:52:19.838Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-g88p-r42r-ppp9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-g88p-r42r-ppp9"
},
{
"name": "https://github.com/argoproj/argo-cd/pull/6103",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/argo-cd/pull/6103"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/701bc50d01c752cad96185f848088d287a97c7b7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/argo-cd/commit/701bc50d01c752cad96185f848088d287a97c7b7"
}
],
"source": {
"advisory": "GHSA-g88p-r42r-ppp9",
"discovery": "UNKNOWN"
},
"title": "Repository Credentials Race Condition Crashes Argo CD Server"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-55191",
"datePublished": "2025-09-30T22:52:19.838Z",
"dateReserved": "2025-08-08T21:55:07.963Z",
"dateUpdated": "2025-10-06T18:32:34.110Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-55190 (GCVE-0-2025-55190)
Vulnerability from cvelistv5 – Published: 2025-09-04 22:37 – Updated: 2025-09-05 16:07
VLAI?
Title
Argo CD: Project API Token Exposes Repository Credentials
Summary
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with project-level permissions are able to retrieve sensitive repository credentials (usernames, passwords) through the project details API endpoint, even when the token only has standard application management permissions and no explicit access to secrets. This vulnerability does not only affect project-level permissions. Any token with project get permissions is also vulnerable, including global permissions such as: `p, role/user, projects, get, *, allow`. This issue is fixed in versions 2.13.9, 2.14.16, 3.0.14 and 3.1.2.
Severity ?
10 (Critical)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55190",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-05T16:07:11.324151Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-05T16:07:25.315Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "argo-cd",
"vendor": "argoproj",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.13.0, \u003c 2.13.9"
},
{
"status": "affected",
"version": "\u003e= 2.14.0, \u003c 2.14.16"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.0.14"
},
{
"status": "affected",
"version": "\u003e= 3.1.0-rc1, \u003c 3.1.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with project-level permissions are able to retrieve sensitive repository credentials (usernames, passwords) through the project details API endpoint, even when the token only has standard application management permissions and no explicit access to secrets. This vulnerability does not only affect project-level permissions. Any token with project get permissions is also vulnerable, including global permissions such as: `p, role/user, projects, get, *, allow`. This issue is fixed in versions 2.13.9, 2.14.16, 3.0.14 and 3.1.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-04T22:37:52.811Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-786q-9hcg-v9ff",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-786q-9hcg-v9ff"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/e8f86101f5378662ae6151ce5c3a76e9141900e8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/argo-cd/commit/e8f86101f5378662ae6151ce5c3a76e9141900e8"
}
],
"source": {
"advisory": "GHSA-786q-9hcg-v9ff",
"discovery": "UNKNOWN"
},
"title": "Argo CD: Project API Token Exposes Repository Credentials"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-55190",
"datePublished": "2025-09-04T22:37:52.811Z",
"dateReserved": "2025-08-08T21:55:07.963Z",
"dateUpdated": "2025-09-05T16:07:25.315Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47933 (GCVE-0-2025-47933)
Vulnerability from cvelistv5 – Published: 2025-05-29 19:30 – Updated: 2025-05-30 12:35
VLAI?
Title
Argo CD allows cross-site scripting on repositories page
Summary
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.13.8, 2.14.13, and 3.0.4, an attacker can perform arbitrary actions on behalf of the victim via the API. Due to the improper filtering of URL protocols in the repository page, an attacker can achieve cross-site scripting with permission to edit the repository. This issue has been patched in versions 2.13.8, 2.14.13, and 3.0.4.
Severity ?
9.1 (Critical)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47933",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-30T12:34:55.697431Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T12:35:04.233Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "argo-cd",
"vendor": "argoproj",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.2.0-rc1, \u003c= 1.8.7"
},
{
"status": "affected",
"version": "\u003e= 2.0.0-rc3, \u003c 2.13.8"
},
{
"status": "affected",
"version": "\u003e= 2.14.0-rc1, \u003c 2.14.13"
},
{
"status": "affected",
"version": "\u003e= 3.0.0-rc1, \u003c 3.0.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.13.8, 2.14.13, and 3.0.4, an attacker can perform arbitrary actions on behalf of the victim via the API. Due to the improper filtering of URL protocols in the repository page, an attacker can achieve cross-site scripting with permission to edit the repository. This issue has been patched in versions 2.13.8, 2.14.13, and 3.0.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-29T19:30:39.108Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2hj5-g64g-fp6p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2hj5-g64g-fp6p"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/a5b4041a79c54bc7b3d090805d070bcdb9a9e4d1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/argo-cd/commit/a5b4041a79c54bc7b3d090805d070bcdb9a9e4d1"
}
],
"source": {
"advisory": "GHSA-2hj5-g64g-fp6p",
"discovery": "UNKNOWN"
},
"title": "Argo CD allows cross-site scripting on repositories page"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-47933",
"datePublished": "2025-05-29T19:30:39.108Z",
"dateReserved": "2025-05-14T10:32:43.529Z",
"dateUpdated": "2025-05-30T12:35:04.233Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-23216 (GCVE-0-2025-23216)
Vulnerability from cvelistv5 – Published: 2025-01-30 15:30 – Updated: 2025-02-12 19:51
VLAI?
Title
Argo CD does not scrub secret values from patch errors
Summary
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. The vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data. The vulnerability is fixed in v2.13.4, v2.12.10, and v2.11.13.
Severity ?
6.8 (Medium)
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-23216",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-30T16:40:31.507364Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T19:51:12.285Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "argo-cd",
"vendor": "argoproj",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.13.0, \u003c 2.13.4"
},
{
"status": "affected",
"version": "\u003e= 2.12.0, \u003c 2.12.10"
},
{
"status": "affected",
"version": "\u003c 2.11.13"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. The vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data. The vulnerability is fixed in v2.13.4, v2.12.10, and v2.11.13."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209: Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-30T15:30:05.405Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-47g2-qmh2-749v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-47g2-qmh2-749v"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/6f5537bdf15ddbaa0f27a1a678632ff0743e4107",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/argo-cd/commit/6f5537bdf15ddbaa0f27a1a678632ff0743e4107"
},
{
"name": "https://github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c5e6d73ddca",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c5e6d73ddca"
}
],
"source": {
"advisory": "GHSA-47g2-qmh2-749v",
"discovery": "UNKNOWN"
},
"title": "Argo CD does not scrub secret values from patch errors"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-23216",
"datePublished": "2025-01-30T15:30:05.405Z",
"dateReserved": "2025-01-13T17:15:41.051Z",
"dateUpdated": "2025-02-12T19:51:12.285Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41666 (GCVE-0-2024-41666)
Vulnerability from cvelistv5 – Published: 2024-07-24 17:16 – Updated: 2024-08-12 21:02
VLAI?
Title
The Argo CD web terminal session does not handle the revocation of user permissions properly.
Summary
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD has a Web-based terminal that allows users to get a shell inside a running pod, just as they would with kubectl exec. Starting in version 2.6.0, when the administrator enables this function and grants permission to the user `p, role:myrole, exec, create, */*, allow`, even if the user revokes this permission, the user can still perform operations in the container, as long as the user keeps the terminal view open for a long time. Although the token expiration and revocation of the user are fixed, however, the fix does not address the situation of revocation of only user `p, role:myrole, exec, create, */*, allow` permissions, which may still lead to the leakage of sensitive information. A patch for this vulnerability has been released in Argo CD versions 2.11.7, 2.10.16, and 2.9.21.
Severity ?
4.7 (Medium)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:argoproj:argo-cd:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "argo-cd",
"vendor": "argoproj",
"versions": [
{
"lessThan": "2.9.21",
"status": "affected",
"version": "2.6.0",
"versionType": "custom"
},
{
"lessThan": "2.10.16",
"status": "affected",
"version": "2.10.0",
"versionType": "custom"
},
{
"lessThan": "2.11.7",
"status": "affected",
"version": "2.11.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41666",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-24T18:05:21.749595Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T21:02:57.505Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:46:52.923Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-v8wx-v5jq-qhhw",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-v8wx-v5jq-qhhw"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/05edb2a9ca48f0f10608c1b49fbb0cf7164f6476",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/argoproj/argo-cd/commit/05edb2a9ca48f0f10608c1b49fbb0cf7164f6476"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/e96f32d233504101ddac028a5bf8117433d333d6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/argoproj/argo-cd/commit/e96f32d233504101ddac028a5bf8117433d333d6"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/ef535230d8bd8ad7b18aab1ea1063e9751d348c4",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/argoproj/argo-cd/commit/ef535230d8bd8ad7b18aab1ea1063e9751d348c4"
},
{
"name": "https://drive.google.com/file/d/1Fynj5Sho8Lf8CETqsNXZyPKlTDdmgJuN/view?usp=sharing",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://drive.google.com/file/d/1Fynj5Sho8Lf8CETqsNXZyPKlTDdmgJuN/view?usp=sharing"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "argo-cd",
"vendor": "argoproj",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.6.0, \u003c 2.9.21"
},
{
"status": "affected",
"version": "\u003e= 2.10.0, \u003c 2.10.16"
},
{
"status": "affected",
"version": "\u003e= 2.11.0, \u003c 2.11.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD has a Web-based terminal that allows users to get a shell inside a running pod, just as they would with kubectl exec. Starting in version 2.6.0, when the administrator enables this function and grants permission to the user `p, role:myrole, exec, create, */*, allow`, even if the user revokes this permission, the user can still perform operations in the container, as long as the user keeps the terminal view open for a long time. Although the token expiration and revocation of the user are fixed, however, the fix does not address the situation of revocation of only user `p, role:myrole, exec, create, */*, allow` permissions, which may still lead to the leakage of sensitive information. A patch for this vulnerability has been released in Argo CD versions 2.11.7, 2.10.16, and 2.9.21."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-24T17:16:37.730Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-v8wx-v5jq-qhhw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-v8wx-v5jq-qhhw"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/05edb2a9ca48f0f10608c1b49fbb0cf7164f6476",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/argo-cd/commit/05edb2a9ca48f0f10608c1b49fbb0cf7164f6476"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/e96f32d233504101ddac028a5bf8117433d333d6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/argo-cd/commit/e96f32d233504101ddac028a5bf8117433d333d6"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/ef535230d8bd8ad7b18aab1ea1063e9751d348c4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/argo-cd/commit/ef535230d8bd8ad7b18aab1ea1063e9751d348c4"
},
{
"name": "https://drive.google.com/file/d/1Fynj5Sho8Lf8CETqsNXZyPKlTDdmgJuN/view?usp=sharing",
"tags": [
"x_refsource_MISC"
],
"url": "https://drive.google.com/file/d/1Fynj5Sho8Lf8CETqsNXZyPKlTDdmgJuN/view?usp=sharing"
}
],
"source": {
"advisory": "GHSA-v8wx-v5jq-qhhw",
"discovery": "UNKNOWN"
},
"title": "The Argo CD web terminal session does not handle the revocation of user permissions properly."
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-41666",
"datePublished": "2024-07-24T17:16:37.730Z",
"dateReserved": "2024-07-18T15:21:47.484Z",
"dateUpdated": "2024-08-12T21:02:57.505Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-40634 (GCVE-0-2024-40634)
Vulnerability from cvelistv5 – Published: 2024-07-22 17:22 – Updated: 2024-08-02 04:33
VLAI?
Title
Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint
Summary
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation that leads to service disruption by triggering an Out Of Memory (OOM) kill. The issue poses a high risk to the availability of Argo CD deployments. This vulnerability is fixed in 2.11.6, 2.10.15, and 2.9.20.
Severity ?
7.5 (High)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:argoproj:argo-cd:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "argo-cd",
"vendor": "argoproj",
"versions": [
{
"lessThan": "2.9.20",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
},
{
"lessThan": "2.10.15",
"status": "affected",
"version": "2.10.0",
"versionType": "custom"
},
{
"lessThan": "2.11.6",
"status": "affected",
"version": "2.11.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-40634",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-23T13:12:57.451737Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-23T13:19:36.934Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:33:11.910Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jmvp-698c-4x3w",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jmvp-698c-4x3w"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/46c0c0b64deaab1ece70cb701030b76668ad0cdc",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/argoproj/argo-cd/commit/46c0c0b64deaab1ece70cb701030b76668ad0cdc"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/540e3a57b90eb3655db54793332fac86bcc38b36",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/argoproj/argo-cd/commit/540e3a57b90eb3655db54793332fac86bcc38b36"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/d881ee78949e23160a0b280bb159e4d3d625a4df",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/argoproj/argo-cd/commit/d881ee78949e23160a0b280bb159e4d3d625a4df"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "argo-cd",
"vendor": "argoproj",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 2.9.20"
},
{
"status": "affected",
"version": "\u003e= 2.10.0, \u003c 2.10.15"
},
{
"status": "affected",
"version": "\u003e= 2.11.0, \u003c 2.11.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation that leads to service disruption by triggering an Out Of Memory (OOM) kill. The issue poses a high risk to the availability of Argo CD deployments. This vulnerability is fixed in 2.11.6, 2.10.15, and 2.9.20.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-22T17:22:55.732Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jmvp-698c-4x3w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jmvp-698c-4x3w"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/46c0c0b64deaab1ece70cb701030b76668ad0cdc",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/argo-cd/commit/46c0c0b64deaab1ece70cb701030b76668ad0cdc"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/540e3a57b90eb3655db54793332fac86bcc38b36",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/argo-cd/commit/540e3a57b90eb3655db54793332fac86bcc38b36"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/d881ee78949e23160a0b280bb159e4d3d625a4df",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/argo-cd/commit/d881ee78949e23160a0b280bb159e4d3d625a4df"
}
],
"source": {
"advisory": "GHSA-jmvp-698c-4x3w",
"discovery": "UNKNOWN"
},
"title": "Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-40634",
"datePublished": "2024-07-22T17:22:55.732Z",
"dateReserved": "2024-07-08T16:13:15.511Z",
"dateUpdated": "2024-08-02T04:33:11.910Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-37152 (GCVE-0-2024-37152)
Vulnerability from cvelistv5 – Published: 2024-06-06 15:33 – Updated: 2024-08-02 03:50
VLAI?
Title
Unauthenticated Access to sensitive settings in Argo CD
Summary
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17.
Severity ?
5.3 (Medium)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:linuxfoundation:argo-cd:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "argo-cd",
"vendor": "linuxfoundation",
"versions": [
{
"lessThan": "2.9.17",
"status": "affected",
"version": "2.9.3",
"versionType": "custom"
},
{
"lessThan": "2.10.2",
"status": "affected",
"version": "2.10.0",
"versionType": "custom"
},
{
"lessThan": "2.11.3",
"status": "affected",
"version": "2.11.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37152",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-10T13:49:11.409850Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T13:59:44.786Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:50:55.946Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-87p9-x75h-p4j2",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-87p9-x75h-p4j2"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/256d90178b11b04bc8174d08d7b663a2a7b1771b",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/argoproj/argo-cd/commit/256d90178b11b04bc8174d08d7b663a2a7b1771b"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "argo-cd",
"vendor": "argoproj",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.9.3, \u003c 2.9.17"
},
{
"status": "affected",
"version": "\u003e= 2.10.0, \u003c 2.10.12"
},
{
"status": "affected",
"version": "\u003e= 2.11.0, \u003c 2.11.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T15:33:29.843Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-87p9-x75h-p4j2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-87p9-x75h-p4j2"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/256d90178b11b04bc8174d08d7b663a2a7b1771b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/argo-cd/commit/256d90178b11b04bc8174d08d7b663a2a7b1771b"
}
],
"source": {
"advisory": "GHSA-87p9-x75h-p4j2",
"discovery": "UNKNOWN"
},
"title": "Unauthenticated Access to sensitive settings in Argo CD"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-37152",
"datePublished": "2024-06-06T15:33:29.843Z",
"dateReserved": "2024-06-03T17:29:38.328Z",
"dateUpdated": "2024-08-02T03:50:55.946Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59538 (GCVE-0-2025-59538)
Vulnerability from nvd – Published: 2025-10-01 21:09 – Updated: 2025-10-02 15:54
VLAI?
Title
Argo CD is Vulnerable to Unauthenticated Remote DoS via malformed Azure DevOps git.push webhook
Summary
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. For versions 2.9.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.6 and 3.0.17, when the webhook.azuredevops.username and webhook.azuredevops.password are not set in the default configuration, the /api/webhook endpoint crashes the entire argocd-server process when it receives an Azure DevOps Push event whose JSON array resource.refUpdates is empty. The slice index [0] is accessed without a length check, causing an index-out-of-range panic. A single unauthenticated HTTP POST is enough to kill the process. This issue is resolved in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.
Severity ?
7.5 (High)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59538",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-02T15:32:22.380180Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T15:54:11.490Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-gpx4-37g2-c8pv"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "argo-cd",
"vendor": "argoproj",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.9.0-rc1, \u003c 2.14.20"
},
{
"status": "affected",
"version": "\u003e= 3.2.0-rc1, \u003c 3.2.0-rc2"
},
{
"status": "affected",
"version": "\u003e= 3.1.0-rc1, \u003c 3.1.8"
},
{
"status": "affected",
"version": "\u003e= 3.0.0-rc1, \u003c 3.0.19"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. For versions 2.9.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.6 and 3.0.17, when the webhook.azuredevops.username and webhook.azuredevops.password are not set in the default configuration, the /api/webhook endpoint crashes the entire argocd-server process when it receives an Azure DevOps Push event whose JSON array resource.refUpdates is empty. The slice index [0] is accessed without a length check, causing an index-out-of-range panic. A single unauthenticated HTTP POST is enough to kill the process. This issue is resolved in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-248",
"description": "CWE-248: Uncaught Exception",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-703",
"description": "CWE-703: Improper Check or Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T21:09:08.870Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-gpx4-37g2-c8pv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-gpx4-37g2-c8pv"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/1a023f1ca7fe4ec942b4b6696804988d5a632baf",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/argo-cd/commit/1a023f1ca7fe4ec942b4b6696804988d5a632baf"
}
],
"source": {
"advisory": "GHSA-gpx4-37g2-c8pv",
"discovery": "UNKNOWN"
},
"title": "Argo CD is Vulnerable to Unauthenticated Remote DoS via malformed Azure DevOps git.push webhook"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59538",
"datePublished": "2025-10-01T21:09:08.870Z",
"dateReserved": "2025-09-17T17:04:20.373Z",
"dateUpdated": "2025-10-02T15:54:11.490Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59537 (GCVE-0-2025-59537)
Vulnerability from nvd – Published: 2025-10-01 21:01 – Updated: 2025-10-02 15:54
VLAI?
Title
argo-cd is vulnerable to unauthenticated DoS attack via malformed Gogs webhook payload
Summary
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. With the default configuration, no webhook.gogs.secret set, Argo CD’s /api/webhook endpoint will crash the entire argocd-server process when it receives a Gogs push event whose JSON field commits[].repo is not set or is null. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.
Severity ?
7.5 (High)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59537",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-02T15:35:13.081671Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T15:54:17.919Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-wp4p-9pxh-cgx2"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "argo-cd",
"vendor": "argoproj",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.2.0, \u003c= 1.8.7"
},
{
"status": "affected",
"version": "\u003e= 2.0.0-rc1, \u003c 2.14.20"
},
{
"status": "affected",
"version": "\u003e= 3.2.0-rc1, \u003c 3.2.0-rc2"
},
{
"status": "affected",
"version": "\u003e= 3.1.0-rc1, \u003c 3.1.8"
},
{
"status": "affected",
"version": "\u003e= 3.0.0-rc1, \u003c 3.0.19"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. With the default configuration, no webhook.gogs.secret set, Argo CD\u2019s /api/webhook endpoint will crash the entire argocd-server process when it receives a Gogs push event whose JSON field commits[].repo is not set or is null. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476: NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T21:01:36.519Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-wp4p-9pxh-cgx2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-wp4p-9pxh-cgx2"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/761fc27068d2d4cd24e1f784eb2a9033b5ee7f43",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/argo-cd/commit/761fc27068d2d4cd24e1f784eb2a9033b5ee7f43"
}
],
"source": {
"advisory": "GHSA-wp4p-9pxh-cgx2",
"discovery": "UNKNOWN"
},
"title": "argo-cd is vulnerable to unauthenticated DoS attack via malformed Gogs webhook payload"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59537",
"datePublished": "2025-10-01T21:01:36.519Z",
"dateReserved": "2025-09-17T17:04:20.373Z",
"dateUpdated": "2025-10-02T15:54:17.919Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59531 (GCVE-0-2025-59531)
Vulnerability from nvd – Published: 2025-10-01 20:49 – Updated: 2025-10-02 15:54
VLAI?
Title
Unauthenticated argocd-server panic via a malicious Bitbucket-Server webhook payload
Summary
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. Without a configured webhook.bitbucketserver.secret, Argo CD's /api/webhook endpoint crashes when receiving a malformed Bitbucket Server payload (non-array repository.links.clone field). A single unauthenticated request triggers CrashLoopBackOff, and targeting all replicas causes complete API outage. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.
Severity ?
7.5 (High)
CWE
- CWE-703 - Improper Check or Handling of Exceptional Conditions
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59531",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-02T15:35:32.474779Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T15:54:24.950Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-f9gq-prrc-hrhc"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "argo-cd",
"vendor": "argoproj",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.2.0, \u003c= 1.8.7"
},
{
"status": "affected",
"version": "\u003e= 2.0.0-rc1, \u003c 2.14.20"
},
{
"status": "affected",
"version": "\u003e= 3.2.0-rc1, \u003c 3.2.0-rc2"
},
{
"status": "affected",
"version": "\u003e= 3.1.0-rc1, \u003c 3.1.8"
},
{
"status": "affected",
"version": "\u003e= 3.0.0-rc1, \u003c 3.0.19"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. Without a configured webhook.bitbucketserver.secret, Argo CD\u0027s /api/webhook endpoint crashes when receiving a malformed Bitbucket Server payload (non-array repository.links.clone field). A single unauthenticated request triggers CrashLoopBackOff, and targeting all replicas causes complete API outage. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-703",
"description": "CWE-703: Improper Check or Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T20:49:35.428Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-f9gq-prrc-hrhc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-f9gq-prrc-hrhc"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/5c466a4e39802e059e75c0008ae7b7b8e842538f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/argo-cd/commit/5c466a4e39802e059e75c0008ae7b7b8e842538f"
}
],
"source": {
"advisory": "GHSA-f9gq-prrc-hrhc",
"discovery": "UNKNOWN"
},
"title": "Unauthenticated argocd-server panic via a malicious Bitbucket-Server webhook payload"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59531",
"datePublished": "2025-10-01T20:49:35.428Z",
"dateReserved": "2025-09-17T17:04:20.373Z",
"dateUpdated": "2025-10-02T15:54:24.950Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-55191 (GCVE-0-2025-55191)
Vulnerability from nvd – Published: 2025-09-30 22:52 – Updated: 2025-10-06 18:32
VLAI?
Title
Repository Credentials Race Condition Crashes Argo CD Server
Summary
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions between 2.1.0 and 2.14.19, 3.2.0-rc1, 3.1.0-rc1 through 3.1.7, and 3.0.0-rc1 through 3.0.18 contain a race condition in the repository credentials handler that can cause the Argo CD server to panic and crash when concurrent operations are performed on the same repository URL. The vulnerability is located in numerous repository related handlers in the util/db/repository_secrets.go file. A valid API token with repositories resource permissions (create, update, or delete actions) is required to trigger the race condition. This vulnerability causes the entire Argo CD server to crash and become unavailable. Attackers can repeatedly and continuously trigger the race condition to maintain a denial-of-service state, disrupting all GitOps operations. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.
Severity ?
6.5 (Medium)
CWE
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55191",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-06T18:32:25.830089Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-06T18:32:34.110Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "argo-cd",
"vendor": "argoproj",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.1.0, \u003c 2.14.20"
},
{
"status": "affected",
"version": "= 3.2.0-rc1"
},
{
"status": "affected",
"version": "\u003e= 3.1.0-rc1, \u003c 3.1.8"
},
{
"status": "affected",
"version": "\u003e= 3.0.0-rc1, \u003c 3.0.19"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions between 2.1.0 and 2.14.19, 3.2.0-rc1, 3.1.0-rc1 through 3.1.7, and 3.0.0-rc1 through 3.0.18 contain a race condition in the repository credentials handler that can cause the Argo CD server to panic and crash when concurrent operations are performed on the same repository URL. The vulnerability is located in numerous repository related handlers in the util/db/repository_secrets.go file. A valid API token with repositories resource permissions (create, update, or delete actions) is required to trigger the race condition. This vulnerability causes the entire Argo CD server to crash and become unavailable. Attackers can repeatedly and continuously trigger the race condition to maintain a denial-of-service state, disrupting all GitOps operations. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-30T22:52:19.838Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-g88p-r42r-ppp9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-g88p-r42r-ppp9"
},
{
"name": "https://github.com/argoproj/argo-cd/pull/6103",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/argo-cd/pull/6103"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/701bc50d01c752cad96185f848088d287a97c7b7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/argo-cd/commit/701bc50d01c752cad96185f848088d287a97c7b7"
}
],
"source": {
"advisory": "GHSA-g88p-r42r-ppp9",
"discovery": "UNKNOWN"
},
"title": "Repository Credentials Race Condition Crashes Argo CD Server"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-55191",
"datePublished": "2025-09-30T22:52:19.838Z",
"dateReserved": "2025-08-08T21:55:07.963Z",
"dateUpdated": "2025-10-06T18:32:34.110Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-55190 (GCVE-0-2025-55190)
Vulnerability from nvd – Published: 2025-09-04 22:37 – Updated: 2025-09-05 16:07
VLAI?
Title
Argo CD: Project API Token Exposes Repository Credentials
Summary
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with project-level permissions are able to retrieve sensitive repository credentials (usernames, passwords) through the project details API endpoint, even when the token only has standard application management permissions and no explicit access to secrets. This vulnerability does not only affect project-level permissions. Any token with project get permissions is also vulnerable, including global permissions such as: `p, role/user, projects, get, *, allow`. This issue is fixed in versions 2.13.9, 2.14.16, 3.0.14 and 3.1.2.
Severity ?
10 (Critical)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55190",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-05T16:07:11.324151Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-05T16:07:25.315Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "argo-cd",
"vendor": "argoproj",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.13.0, \u003c 2.13.9"
},
{
"status": "affected",
"version": "\u003e= 2.14.0, \u003c 2.14.16"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.0.14"
},
{
"status": "affected",
"version": "\u003e= 3.1.0-rc1, \u003c 3.1.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with project-level permissions are able to retrieve sensitive repository credentials (usernames, passwords) through the project details API endpoint, even when the token only has standard application management permissions and no explicit access to secrets. This vulnerability does not only affect project-level permissions. Any token with project get permissions is also vulnerable, including global permissions such as: `p, role/user, projects, get, *, allow`. This issue is fixed in versions 2.13.9, 2.14.16, 3.0.14 and 3.1.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-04T22:37:52.811Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-786q-9hcg-v9ff",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-786q-9hcg-v9ff"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/e8f86101f5378662ae6151ce5c3a76e9141900e8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/argo-cd/commit/e8f86101f5378662ae6151ce5c3a76e9141900e8"
}
],
"source": {
"advisory": "GHSA-786q-9hcg-v9ff",
"discovery": "UNKNOWN"
},
"title": "Argo CD: Project API Token Exposes Repository Credentials"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-55190",
"datePublished": "2025-09-04T22:37:52.811Z",
"dateReserved": "2025-08-08T21:55:07.963Z",
"dateUpdated": "2025-09-05T16:07:25.315Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47933 (GCVE-0-2025-47933)
Vulnerability from nvd – Published: 2025-05-29 19:30 – Updated: 2025-05-30 12:35
VLAI?
Title
Argo CD allows cross-site scripting on repositories page
Summary
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.13.8, 2.14.13, and 3.0.4, an attacker can perform arbitrary actions on behalf of the victim via the API. Due to the improper filtering of URL protocols in the repository page, an attacker can achieve cross-site scripting with permission to edit the repository. This issue has been patched in versions 2.13.8, 2.14.13, and 3.0.4.
Severity ?
9.1 (Critical)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47933",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-30T12:34:55.697431Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T12:35:04.233Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "argo-cd",
"vendor": "argoproj",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.2.0-rc1, \u003c= 1.8.7"
},
{
"status": "affected",
"version": "\u003e= 2.0.0-rc3, \u003c 2.13.8"
},
{
"status": "affected",
"version": "\u003e= 2.14.0-rc1, \u003c 2.14.13"
},
{
"status": "affected",
"version": "\u003e= 3.0.0-rc1, \u003c 3.0.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.13.8, 2.14.13, and 3.0.4, an attacker can perform arbitrary actions on behalf of the victim via the API. Due to the improper filtering of URL protocols in the repository page, an attacker can achieve cross-site scripting with permission to edit the repository. This issue has been patched in versions 2.13.8, 2.14.13, and 3.0.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-29T19:30:39.108Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2hj5-g64g-fp6p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2hj5-g64g-fp6p"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/a5b4041a79c54bc7b3d090805d070bcdb9a9e4d1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/argo-cd/commit/a5b4041a79c54bc7b3d090805d070bcdb9a9e4d1"
}
],
"source": {
"advisory": "GHSA-2hj5-g64g-fp6p",
"discovery": "UNKNOWN"
},
"title": "Argo CD allows cross-site scripting on repositories page"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-47933",
"datePublished": "2025-05-29T19:30:39.108Z",
"dateReserved": "2025-05-14T10:32:43.529Z",
"dateUpdated": "2025-05-30T12:35:04.233Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-23216 (GCVE-0-2025-23216)
Vulnerability from nvd – Published: 2025-01-30 15:30 – Updated: 2025-02-12 19:51
VLAI?
Title
Argo CD does not scrub secret values from patch errors
Summary
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. The vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data. The vulnerability is fixed in v2.13.4, v2.12.10, and v2.11.13.
Severity ?
6.8 (Medium)
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-23216",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-30T16:40:31.507364Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T19:51:12.285Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "argo-cd",
"vendor": "argoproj",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.13.0, \u003c 2.13.4"
},
{
"status": "affected",
"version": "\u003e= 2.12.0, \u003c 2.12.10"
},
{
"status": "affected",
"version": "\u003c 2.11.13"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. The vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data. The vulnerability is fixed in v2.13.4, v2.12.10, and v2.11.13."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209: Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-30T15:30:05.405Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-47g2-qmh2-749v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-47g2-qmh2-749v"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/6f5537bdf15ddbaa0f27a1a678632ff0743e4107",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/argo-cd/commit/6f5537bdf15ddbaa0f27a1a678632ff0743e4107"
},
{
"name": "https://github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c5e6d73ddca",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c5e6d73ddca"
}
],
"source": {
"advisory": "GHSA-47g2-qmh2-749v",
"discovery": "UNKNOWN"
},
"title": "Argo CD does not scrub secret values from patch errors"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-23216",
"datePublished": "2025-01-30T15:30:05.405Z",
"dateReserved": "2025-01-13T17:15:41.051Z",
"dateUpdated": "2025-02-12T19:51:12.285Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41666 (GCVE-0-2024-41666)
Vulnerability from nvd – Published: 2024-07-24 17:16 – Updated: 2024-08-12 21:02
VLAI?
Title
The Argo CD web terminal session does not handle the revocation of user permissions properly.
Summary
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD has a Web-based terminal that allows users to get a shell inside a running pod, just as they would with kubectl exec. Starting in version 2.6.0, when the administrator enables this function and grants permission to the user `p, role:myrole, exec, create, */*, allow`, even if the user revokes this permission, the user can still perform operations in the container, as long as the user keeps the terminal view open for a long time. Although the token expiration and revocation of the user are fixed, however, the fix does not address the situation of revocation of only user `p, role:myrole, exec, create, */*, allow` permissions, which may still lead to the leakage of sensitive information. A patch for this vulnerability has been released in Argo CD versions 2.11.7, 2.10.16, and 2.9.21.
Severity ?
4.7 (Medium)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:argoproj:argo-cd:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "argo-cd",
"vendor": "argoproj",
"versions": [
{
"lessThan": "2.9.21",
"status": "affected",
"version": "2.6.0",
"versionType": "custom"
},
{
"lessThan": "2.10.16",
"status": "affected",
"version": "2.10.0",
"versionType": "custom"
},
{
"lessThan": "2.11.7",
"status": "affected",
"version": "2.11.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41666",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-24T18:05:21.749595Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T21:02:57.505Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:46:52.923Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-v8wx-v5jq-qhhw",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-v8wx-v5jq-qhhw"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/05edb2a9ca48f0f10608c1b49fbb0cf7164f6476",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/argoproj/argo-cd/commit/05edb2a9ca48f0f10608c1b49fbb0cf7164f6476"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/e96f32d233504101ddac028a5bf8117433d333d6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/argoproj/argo-cd/commit/e96f32d233504101ddac028a5bf8117433d333d6"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/ef535230d8bd8ad7b18aab1ea1063e9751d348c4",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/argoproj/argo-cd/commit/ef535230d8bd8ad7b18aab1ea1063e9751d348c4"
},
{
"name": "https://drive.google.com/file/d/1Fynj5Sho8Lf8CETqsNXZyPKlTDdmgJuN/view?usp=sharing",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://drive.google.com/file/d/1Fynj5Sho8Lf8CETqsNXZyPKlTDdmgJuN/view?usp=sharing"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "argo-cd",
"vendor": "argoproj",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.6.0, \u003c 2.9.21"
},
{
"status": "affected",
"version": "\u003e= 2.10.0, \u003c 2.10.16"
},
{
"status": "affected",
"version": "\u003e= 2.11.0, \u003c 2.11.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD has a Web-based terminal that allows users to get a shell inside a running pod, just as they would with kubectl exec. Starting in version 2.6.0, when the administrator enables this function and grants permission to the user `p, role:myrole, exec, create, */*, allow`, even if the user revokes this permission, the user can still perform operations in the container, as long as the user keeps the terminal view open for a long time. Although the token expiration and revocation of the user are fixed, however, the fix does not address the situation of revocation of only user `p, role:myrole, exec, create, */*, allow` permissions, which may still lead to the leakage of sensitive information. A patch for this vulnerability has been released in Argo CD versions 2.11.7, 2.10.16, and 2.9.21."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-24T17:16:37.730Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-v8wx-v5jq-qhhw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-v8wx-v5jq-qhhw"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/05edb2a9ca48f0f10608c1b49fbb0cf7164f6476",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/argo-cd/commit/05edb2a9ca48f0f10608c1b49fbb0cf7164f6476"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/e96f32d233504101ddac028a5bf8117433d333d6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/argo-cd/commit/e96f32d233504101ddac028a5bf8117433d333d6"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/ef535230d8bd8ad7b18aab1ea1063e9751d348c4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/argo-cd/commit/ef535230d8bd8ad7b18aab1ea1063e9751d348c4"
},
{
"name": "https://drive.google.com/file/d/1Fynj5Sho8Lf8CETqsNXZyPKlTDdmgJuN/view?usp=sharing",
"tags": [
"x_refsource_MISC"
],
"url": "https://drive.google.com/file/d/1Fynj5Sho8Lf8CETqsNXZyPKlTDdmgJuN/view?usp=sharing"
}
],
"source": {
"advisory": "GHSA-v8wx-v5jq-qhhw",
"discovery": "UNKNOWN"
},
"title": "The Argo CD web terminal session does not handle the revocation of user permissions properly."
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-41666",
"datePublished": "2024-07-24T17:16:37.730Z",
"dateReserved": "2024-07-18T15:21:47.484Z",
"dateUpdated": "2024-08-12T21:02:57.505Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-40634 (GCVE-0-2024-40634)
Vulnerability from nvd – Published: 2024-07-22 17:22 – Updated: 2024-08-02 04:33
VLAI?
Title
Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint
Summary
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation that leads to service disruption by triggering an Out Of Memory (OOM) kill. The issue poses a high risk to the availability of Argo CD deployments. This vulnerability is fixed in 2.11.6, 2.10.15, and 2.9.20.
Severity ?
7.5 (High)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:argoproj:argo-cd:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "argo-cd",
"vendor": "argoproj",
"versions": [
{
"lessThan": "2.9.20",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
},
{
"lessThan": "2.10.15",
"status": "affected",
"version": "2.10.0",
"versionType": "custom"
},
{
"lessThan": "2.11.6",
"status": "affected",
"version": "2.11.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-40634",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-23T13:12:57.451737Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-23T13:19:36.934Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:33:11.910Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jmvp-698c-4x3w",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jmvp-698c-4x3w"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/46c0c0b64deaab1ece70cb701030b76668ad0cdc",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/argoproj/argo-cd/commit/46c0c0b64deaab1ece70cb701030b76668ad0cdc"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/540e3a57b90eb3655db54793332fac86bcc38b36",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/argoproj/argo-cd/commit/540e3a57b90eb3655db54793332fac86bcc38b36"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/d881ee78949e23160a0b280bb159e4d3d625a4df",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/argoproj/argo-cd/commit/d881ee78949e23160a0b280bb159e4d3d625a4df"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "argo-cd",
"vendor": "argoproj",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 2.9.20"
},
{
"status": "affected",
"version": "\u003e= 2.10.0, \u003c 2.10.15"
},
{
"status": "affected",
"version": "\u003e= 2.11.0, \u003c 2.11.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation that leads to service disruption by triggering an Out Of Memory (OOM) kill. The issue poses a high risk to the availability of Argo CD deployments. This vulnerability is fixed in 2.11.6, 2.10.15, and 2.9.20.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-22T17:22:55.732Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jmvp-698c-4x3w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jmvp-698c-4x3w"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/46c0c0b64deaab1ece70cb701030b76668ad0cdc",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/argo-cd/commit/46c0c0b64deaab1ece70cb701030b76668ad0cdc"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/540e3a57b90eb3655db54793332fac86bcc38b36",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/argo-cd/commit/540e3a57b90eb3655db54793332fac86bcc38b36"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/d881ee78949e23160a0b280bb159e4d3d625a4df",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/argo-cd/commit/d881ee78949e23160a0b280bb159e4d3d625a4df"
}
],
"source": {
"advisory": "GHSA-jmvp-698c-4x3w",
"discovery": "UNKNOWN"
},
"title": "Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-40634",
"datePublished": "2024-07-22T17:22:55.732Z",
"dateReserved": "2024-07-08T16:13:15.511Z",
"dateUpdated": "2024-08-02T04:33:11.910Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-37152 (GCVE-0-2024-37152)
Vulnerability from nvd – Published: 2024-06-06 15:33 – Updated: 2024-08-02 03:50
VLAI?
Title
Unauthenticated Access to sensitive settings in Argo CD
Summary
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17.
Severity ?
5.3 (Medium)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:linuxfoundation:argo-cd:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "argo-cd",
"vendor": "linuxfoundation",
"versions": [
{
"lessThan": "2.9.17",
"status": "affected",
"version": "2.9.3",
"versionType": "custom"
},
{
"lessThan": "2.10.2",
"status": "affected",
"version": "2.10.0",
"versionType": "custom"
},
{
"lessThan": "2.11.3",
"status": "affected",
"version": "2.11.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37152",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-10T13:49:11.409850Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T13:59:44.786Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:50:55.946Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-87p9-x75h-p4j2",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-87p9-x75h-p4j2"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/256d90178b11b04bc8174d08d7b663a2a7b1771b",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/argoproj/argo-cd/commit/256d90178b11b04bc8174d08d7b663a2a7b1771b"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "argo-cd",
"vendor": "argoproj",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.9.3, \u003c 2.9.17"
},
{
"status": "affected",
"version": "\u003e= 2.10.0, \u003c 2.10.12"
},
{
"status": "affected",
"version": "\u003e= 2.11.0, \u003c 2.11.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T15:33:29.843Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-87p9-x75h-p4j2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-87p9-x75h-p4j2"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/256d90178b11b04bc8174d08d7b663a2a7b1771b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/argo-cd/commit/256d90178b11b04bc8174d08d7b663a2a7b1771b"
}
],
"source": {
"advisory": "GHSA-87p9-x75h-p4j2",
"discovery": "UNKNOWN"
},
"title": "Unauthenticated Access to sensitive settings in Argo CD"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-37152",
"datePublished": "2024-06-06T15:33:29.843Z",
"dateReserved": "2024-06-03T17:29:38.328Z",
"dateUpdated": "2024-08-02T03:50:55.946Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}