Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Argo 2.13.3 has critical vulnerabilities - CVE-2025-21613 , CVE-2024-45337 #21452

Open
1 of 3 tasks
mani5h-harness opened this issue Jan 10, 2025 · 0 comments
Open
1 of 3 tasks

Argo 2.13.3 has critical vulnerabilities - CVE-2025-21613 , CVE-2024-45337 #21452

mani5h-harness opened this issue Jan 10, 2025 · 0 comments
Labels
bug Something isn't working

Comments

@mani5h-harness
Copy link

Checklist:

  • I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
  • I've included steps to reproduce the bug.
  • I've pasted the output of argocd version.

Summary

There are two critical vulnerabilities in latest argo cd image 2.13.3 as per aqua trivy scanner
The vulnerabilities are in github.com/go-git/go-git/v5 and golang.org/x/cypto

Details

Response from Aqua trivy vulnerability scanner

github.com/go-git/go-git/v5 │ GHSA-v725-9546-7q7m │ CRITICAL │ │ v5.12.0 │ 5.13.0 │ go-git: argument injection via the URL field | https://avd.aquasec.com/nvd/cve-2025-21613

golang.org/x/crypto │ GHSA-v778-237x-gjrc │ CRITICAL │ │ v0.27.0 │ 0.31.0 │ golang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto | https://avd.aquasec.com/nvd/cve-2024-45337

To Reproduce

Expected behavior

Screenshots

Version

Paste the output from `argocd version` here.

Logs

Paste any relevant application logs here.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mani5h-harness