Vulnerability Report: GO-2024-2643

CVE-2023-50726, GHSA-g623-jcgg-mhmm
Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
Published: Mar 22, 2024
Modified: May 20, 2024

An improper validation bug allows users who have create privileges to sync a local manifest during application creation. This allows for bypassing the restriction that the manifests come from some approved git/Helm/OCI source.

Affected Packages

Path

Go Versions

Symbols
github.com/argoproj/argo-cd/server/application

all versions, no known fixed
- Server.Create
github.com/argoproj/argo-cd/v2/server/application

from v2.0.0 before v2.8.12, from v2.9.0 before v2.9.8, from v2.10.0 before v2.10.3
- Server.Create

Aliases

CVE-2023-50726
GHSA-g623-jcgg-mhmm

References

https://github.com/argoproj/argo-cd/commit/3b8f673f06c2d228e01cbc830e5cb57cef008978
https://argo-cd.readthedocs.io/en/latest/operator-manual/rbac
https://vuln.go.dev/ID/GO-2024-2643.json

Credits

@crenshaw-dev

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL