github.com/argoproj/argo-cd/v3@v3.2.1/docs/snyk/master/quay.io_argoproj_argocd_latest.html (about) 1 <!DOCTYPE html> 2 <html lang="en"> 3 4 <head> 5 <meta http-equiv="Content-type" content="text/html; charset=utf-8"> 6 <meta http-equiv="Content-Language" content="en-us"> 7 <meta name="viewport" content="width=device-width, initial-scale=1.0"> 8 <meta http-equiv="X-UA-Compatible" content="IE=edge"> 9 <title>Snyk test report</title> 10 <meta name="description" content="22 known vulnerabilities found in 77 vulnerable dependency paths."> 11 <base target="_blank"> 12 <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png" 13 sizes="194x194"> 14 <link rel="shortcut icon" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.ico"> 15 <style type="text/css"> 16 17 body { 18 -moz-font-feature-settings: "pnum"; 19 -webkit-font-feature-settings: "pnum"; 20 font-variant-numeric: proportional-nums; 21 display: flex; 22 flex-direction: column; 23 font-feature-settings: "pnum"; 24 font-size: 100%; 25 line-height: 1.5; 26 min-height: 100vh; 27 -webkit-text-size-adjust: 100%; 28 margin: 0; 29 padding: 0; 30 background-color: #F5F5F5; 31 font-family: 'Arial', 'Helvetica', Calibri, sans-serif; 32 } 33 34 h1, 35 h2, 36 h3, 37 h4, 38 h5, 39 h6 { 40 font-weight: 500; 41 } 42 43 a, 44 a:link, 45 a:visited { 46 border-bottom: 1px solid #4b45a9; 47 text-decoration: none; 48 color: #4b45a9; 49 } 50 51 a:hover, 52 a:focus, 53 a:active { 54 border-bottom: 1px solid #4b45a9; 55 } 56 57 hr { 58 border: none; 59 margin: 1em 0; 60 border-top: 1px solid #c5c5c5; 61 } 62 63 ul { 64 padding: 0 1em; 65 margin: 1em 0; 66 } 67 68 code { 69 background-color: #EEE; 70 color: #333; 71 padding: 0.25em 0.5em; 72 border-radius: 0.25em; 73 } 74 75 pre { 76 background-color: #333; 77 font-family: monospace; 78 padding: 0.5em 1em 0.75em; 79 border-radius: 0.25em; 80 font-size: 14px; 81 } 82 83 pre code { 84 padding: 0; 85 background-color: transparent; 86 color: #fff; 87 } 88 89 a code { 90 border-radius: .125rem .125rem 0 0; 91 padding-bottom: 0; 92 color: #4b45a9; 93 } 94 95 a[href^="http://"]:after, 96 a[href^="https://"]:after { 97 background-image: linear-gradient(transparent,transparent),url("data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%20112%20109%22%3E%3Cg%20id%3D%22Page-1%22%20fill%3D%22none%22%20fill-rule%3D%22evenodd%22%3E%3Cg%20id%3D%22link-external%22%3E%3Cg%20id%3D%22arrow%22%3E%3Cpath%20id%3D%22Line%22%20stroke%3D%22%234B45A9%22%20stroke-width%3D%2215%22%20d%3D%22M88.5%2021l-43%2042.5%22%20stroke-linecap%3D%22square%22%2F%3E%3Cpath%20id%3D%22Triangle%22%20fill%3D%22%234B45A9%22%20d%3D%22M111.2%200v50L61%200z%22%2F%3E%3C%2Fg%3E%3Cpath%20id%3D%22square%22%20fill%3D%22%234B45A9%22%20d%3D%22M66%2015H0v94h94V44L79%2059v35H15V30h36z%22%2F%3E%3C%2Fg%3E%3C%2Fg%3E%3C%2Fsvg%3E"); 98 background-repeat: no-repeat; 99 background-size: .75rem; 100 content: ""; 101 display: inline-block; 102 height: .75rem; 103 margin-left: .25rem; 104 width: .75rem; 105 } 106 107 108 /* Layout */ 109 110 [class*=layout-container] { 111 margin: 0 auto; 112 max-width: 71.25em; 113 padding: 1.9em 1.3em; 114 position: relative; 115 } 116 .layout-container--short { 117 padding-top: 0; 118 padding-bottom: 0; 119 max-width: 48.75em; 120 } 121 122 .layout-container--short:after { 123 display: block; 124 content: ""; 125 clear: both; 126 } 127 128 /* Header */ 129 130 .header { 131 padding-bottom: 1px; 132 } 133 134 .paths { 135 margin-left: 8px; 136 } 137 .header-wrap { 138 display: flex; 139 flex-direction: row; 140 justify-content: space-between; 141 padding-top: 2em; 142 } 143 .project__header { 144 background-color: #030328; 145 color: #fff; 146 margin-bottom: -1px; 147 padding-top: 1em; 148 padding-bottom: 0.25em; 149 border-bottom: 2px solid #BBB; 150 } 151 152 .project__header__title { 153 overflow-wrap: break-word; 154 word-wrap: break-word; 155 word-break: break-all; 156 margin-bottom: .1em; 157 margin-top: 0; 158 } 159 160 .timestamp { 161 float: right; 162 clear: none; 163 margin-bottom: 0; 164 } 165 166 .meta-counts { 167 clear: both; 168 display: block; 169 flex-wrap: wrap; 170 justify-content: space-between; 171 margin: 0 0 1.5em; 172 color: #fff; 173 clear: both; 174 font-size: 1.1em; 175 } 176 177 .meta-count { 178 display: block; 179 flex-basis: 100%; 180 margin: 0 1em 1em 0; 181 float: left; 182 padding-right: 1em; 183 border-right: 2px solid #fff; 184 } 185 186 .meta-count:last-child { 187 border-right: 0; 188 padding-right: 0; 189 margin-right: 0; 190 } 191 192 /* Card */ 193 194 .card { 195 background-color: #fff; 196 border: 1px solid #c5c5c5; 197 border-radius: .25rem; 198 margin: 0 0 2em 0; 199 position: relative; 200 min-height: 40px; 201 padding: 1.5em; 202 } 203 204 .card__labels { 205 position: absolute; 206 top: 1.1em; 207 left: 0; 208 display: flex; 209 align-items: center; 210 gap: 8px; 211 } 212 213 .card .label { 214 background-color: #767676; 215 border: 2px solid #767676; 216 color: white; 217 padding: 0.25rem 0.75rem; 218 font-size: 0.875rem; 219 text-transform: uppercase; 220 display: inline-block; 221 margin: 0; 222 border-radius: 0.25rem; 223 } 224 225 .card .label__text { 226 vertical-align: text-top; 227 font-weight: bold; 228 } 229 230 .card .label--critical { 231 background-color: #AB1A1A; 232 border-color: #AB1A1A; 233 } 234 235 .card .label--high { 236 background-color: #CE5019; 237 border-color: #CE5019; 238 } 239 240 .card .label--medium { 241 background-color: #D68000; 242 border-color: #D68000; 243 } 244 245 .card .label--low { 246 background-color: #88879E; 247 border-color: #88879E; 248 } 249 250 .severity--low { 251 border-color: #88879E; 252 } 253 254 .severity--medium { 255 border-color: #D68000; 256 } 257 258 .severity--high { 259 border-color: #CE5019; 260 } 261 262 .severity--critical { 263 border-color: #AB1A1A; 264 } 265 266 .card--vuln { 267 padding-top: 4em; 268 } 269 270 .card--vuln .card__labels > .label:first-child { 271 padding-left: 1.9em; 272 padding-right: 1.9em; 273 border-radius: 0 0.25rem 0.25rem 0; 274 } 275 276 .card--vuln .card__section h2 { 277 font-size: 22px; 278 margin-bottom: 0.5em; 279 } 280 281 .card--vuln .card__section p { 282 margin: 0 0 0.5em 0; 283 } 284 285 .card--vuln .card__meta { 286 padding: 0 0 0 1em; 287 margin: 0; 288 font-size: 1.1em; 289 } 290 291 .card .card__meta__paths { 292 font-size: 0.9em; 293 } 294 295 .card--vuln .card__title { 296 font-size: 28px; 297 margin-top: 0; 298 margin-right: 100px; /* Ensure space for the risk score */ 299 } 300 301 .card--vuln .card__cta p { 302 margin: 0; 303 text-align: right; 304 } 305 306 .risk-score-display { 307 position: absolute; 308 top: 1.5em; 309 right: 1.5em; 310 text-align: right; 311 z-index: 10; 312 } 313 314 .risk-score-display__label { 315 font-size: 0.7em; 316 font-weight: bold; 317 color: #586069; 318 text-transform: uppercase; 319 line-height: 1; 320 margin-bottom: 3px; 321 } 322 323 .risk-score-display__value { 324 font-size: 1.9em; 325 font-weight: 600; 326 color: #24292e; 327 line-height: 1; 328 } 329 330 .source-panel { 331 clear: both; 332 display: flex; 333 justify-content: flex-start; 334 flex-direction: column; 335 align-items: flex-start; 336 padding: 0.5em 0; 337 width: fit-content; 338 } 339 340 341 342 </style> 343 <style type="text/css"> 344 .metatable { 345 text-size-adjust: 100%; 346 -webkit-font-smoothing: antialiased; 347 -webkit-box-direction: normal; 348 color: inherit; 349 font-feature-settings: "pnum"; 350 box-sizing: border-box; 351 background: transparent; 352 border: 0; 353 font: inherit; 354 font-size: 100%; 355 margin: 0; 356 outline: none; 357 padding: 0; 358 text-align: left; 359 text-decoration: none; 360 vertical-align: baseline; 361 z-index: auto; 362 margin-top: 12px; 363 border-collapse: collapse; 364 border-spacing: 0; 365 font-variant-numeric: tabular-nums; 366 max-width: 51.75em; 367 } 368 369 tbody { 370 text-size-adjust: 100%; 371 -webkit-font-smoothing: antialiased; 372 -webkit-box-direction: normal; 373 color: inherit; 374 font-feature-settings: "pnum"; 375 border-collapse: collapse; 376 border-spacing: 0; 377 box-sizing: border-box; 378 background: transparent; 379 border: 0; 380 font: inherit; 381 font-size: 100%; 382 margin: 0; 383 outline: none; 384 padding: 0; 385 text-align: left; 386 text-decoration: none; 387 vertical-align: baseline; 388 z-index: auto; 389 display: flex; 390 flex-wrap: wrap; 391 } 392 393 .meta-row { 394 text-size-adjust: 100%; 395 -webkit-font-smoothing: antialiased; 396 -webkit-box-direction: normal; 397 color: inherit; 398 font-feature-settings: "pnum"; 399 border-collapse: collapse; 400 border-spacing: 0; 401 box-sizing: border-box; 402 background: transparent; 403 border: 0; 404 font: inherit; 405 font-size: 100%; 406 outline: none; 407 text-align: left; 408 text-decoration: none; 409 vertical-align: baseline; 410 z-index: auto; 411 display: flex; 412 align-items: start; 413 border-top: 1px solid #d3d3d9; 414 padding: 8px 0 0 0; 415 border-bottom: none; 416 margin: 8px; 417 width: 47.75%; 418 } 419 420 .meta-row-label { 421 text-size-adjust: 100%; 422 -webkit-font-smoothing: antialiased; 423 -webkit-box-direction: normal; 424 font-feature-settings: "pnum"; 425 border-collapse: collapse; 426 border-spacing: 0; 427 color: #4c4a73; 428 box-sizing: border-box; 429 background: transparent; 430 border: 0; 431 font: inherit; 432 margin: 0; 433 outline: none; 434 text-decoration: none; 435 z-index: auto; 436 align-self: start; 437 flex: 1; 438 font-size: 1rem; 439 line-height: 1.5rem; 440 padding: 0; 441 text-align: left; 442 vertical-align: top; 443 text-transform: none; 444 letter-spacing: 0; 445 } 446 447 .meta-row-value { 448 text-size-adjust: 100%; 449 -webkit-font-smoothing: antialiased; 450 -webkit-box-direction: normal; 451 color: inherit; 452 font-feature-settings: "pnum"; 453 border-collapse: collapse; 454 border-spacing: 0; 455 word-break: break-word; 456 box-sizing: border-box; 457 background: transparent; 458 border: 0; 459 font: inherit; 460 font-size: 100%; 461 margin: 0; 462 outline: none; 463 padding: 0; 464 text-align: right; 465 text-decoration: none; 466 vertical-align: baseline; 467 z-index: auto; 468 } 469 </style> 470 </head> 471 472 <body class="section-projects"> 473 <main class="layout-stacked"> 474 <div class="layout-stacked__header header"> 475 <header class="project__header"> 476 <div class="layout-container"> 477 <a class="brand" href="https://snyk.io" title="Snyk"> 478 <svg width="68px" height="35px" viewBox="0 0 68 35" version="1.1" xmlns="http://www.w3.org/2000/svg" role="img"> 479 <title>Snyk - Open Source Security</title> 480 <g stroke="none" stroke-width="1" fill="none" fill-rule="evenodd"> 481 <g fill="#fff"> 482 <path d="M5.732,27.278 C3.445,27.278 1.589,26.885 0,26.124 L0.483,22.472 C2.163,23.296 4.056,23.689 5.643,23.689 C6.801,23.689 7.563,23.295 7.563,22.599 C7.563,20.594 0.333,21.076 0.333,15.839 C0.333,12.491 3.407,10.729 7.259,10.729 C9.179,10.729 11.161,11.249 12.444,11.704 L11.924,15.294 C10.577,14.774 8.747,14.291 7.222,14.291 C6.282,14.291 5.518,14.621 5.518,15.231 C5.518,17.208 12.903,16.815 12.903,21.925 C12.903,25.325 9.877,27.277 5.733,27.277 L5.732,27.278 Z M25.726,26.936 L25.726,17.894 C25.726,15.827 24.811,14.85 23.069,14.85 C22.219,14.85 21.329,15.09 20.719,15.46 L20.719,26.936 L15.352,26.936 L15.352,11.262 L20.602,10.83 L20.474,13.392 L20.652,13.392 C21.784,11.87 23.702,10.716 25.992,10.716 C28.736,10.716 31.112,12.416 31.112,16.436 L31.112,26.936 L25.724,26.936 L25.726,26.936 Z M61.175,26.936 L56.879,19.479 L56.446,19.479 L56.446,26.935 L51.082,26.935 L51.082,8.37 L56.447,0 L56.447,17.323 C57.515,16.017 61.112,11.059 61.112,11.059 L67.732,11.059 L61.454,17.689 L67.949,26.95 L61.175,26.95 L61.175,26.938 L61.175,26.936 Z M44.13,11.11 L41.93,18.262 C41.5,19.606 41.08,22.079 41.08,22.079 C41.08,22.079 40.75,19.516 40.292,18.172 L37.94,11.108 L31.928,11.108 L38.462,26.935 C37.572,29.04 36.199,30.815 34.369,30.815 C34.039,30.815 33.709,30.802 33.389,30.765 L31.255,34.061 C31.928,34.441 33.212,34.835 34.737,34.835 C38.703,34.835 41.359,31.627 43.215,26.885 L49.443,11.108 L44.132,11.108 L44.13,11.11 Z"></path> 483 </g> 484 </g> 485 </svg> 486 </a> 487 <div class="header-wrap"> 488 <h1 class="project__header__title">Snyk test report</h1> 489 490 <p class="timestamp">September 14th 2025, 12:22:07 am (UTC+00:00)</p> 491 </div> 492 <div class="source-panel"> 493 <span>Scanned the following paths:</span> 494 <ul> 495 <li class="paths">quay.io/argoproj/argocd:latest/argoproj/argocd/Dockerfile (deb)</li> 496 <li class="paths">quay.io/argoproj/argocd:latest/argoproj/argo-cd/v3//usr/local/bin/argocd (gomodules)</li> 497 <li class="paths">quay.io/argoproj/argocd:latest//usr/local/bin/kustomize (gomodules)</li> 498 <li class="paths">quay.io/argoproj/argocd:latest/helm/v3//usr/local/bin/helm (gomodules)</li> 499 <li class="paths">quay.io/argoproj/argocd:latest/git-lfs/git-lfs//usr/bin/git-lfs (gomodules)</li> 500 </ul> 501 </div> 502 503 <div class="meta-counts"> 504 <div class="meta-count"><span>22</span> <span>known vulnerabilities</span></div> 505 <div class="meta-count"><span>77 vulnerable dependency paths</span></div> 506 <div class="meta-count"><span>2322</span> <span>dependencies</span></div> 507 </div><!-- .meta-counts --> 508 </div><!-- .layout-container--short --> 509 </header><!-- .project__header --> 510 </div><!-- .layout-stacked__header --> 511 512 <div class="layout-container" style="padding-top: 35px;"> 513 <div class="cards--vuln filter--patch filter--ignore"> 514 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 515 <h2 class="card__title">Directory Traversal</h2> 516 <div class="card__section"> 517 518 <div class="card__labels"> 519 <div class="label label--medium"> 520 <span class="label__text">medium severity</span> 521 </div> 522 </div> 523 524 <hr/> 525 526 <ul class="card__meta"> 527 <li class="card__meta__item"> 528 Manifest file: quay.io/argoproj/argocd:latest/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 529 </li> 530 <li class="card__meta__item"> 531 Package Manager: ubuntu:25.04 532 </li> 533 <li class="card__meta__item"> 534 Vulnerable module: 535 536 tar 537 </li> 538 539 <li class="card__meta__item">Introduced through: 540 541 docker-image|quay.io/argoproj/argocd@latest and tar@1.35+dfsg-3.1 542 543 </li> 544 </ul> 545 546 <hr/> 547 548 549 <h3 class="card__section__title">Detailed paths</h3> 550 551 <ul class="card__meta__paths"> 552 <li> 553 <span class="list-paths__item__introduced"><em>Introduced through</em>: 554 docker-image|quay.io/argoproj/argocd@latest 555 <span class="list-paths__item__arrow">›</span> 556 tar@1.35+dfsg-3.1 557 558 </span> 559 560 </li> 561 <li> 562 <span class="list-paths__item__introduced"><em>Introduced through</em>: 563 docker-image|quay.io/argoproj/argocd@latest 564 <span class="list-paths__item__arrow">›</span> 565 dpkg@1.22.18ubuntu2 566 <span class="list-paths__item__arrow">›</span> 567 tar@1.35+dfsg-3.1 568 569 </span> 570 571 </li> 572 </ul><!-- .list-paths --> 573 574 </div><!-- .card__section --> 575 576 <hr/> 577 <!-- Overview --> 578 <h2 id="nvd-description">NVD Description</h2> 579 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>tar</code> package and not the <code>tar</code> package as distributed by <code>Ubuntu</code>.</em> 580 <em>See <code>How to fix?</code> for <code>Ubuntu:25.04</code> relevant fixed versions and status.</em></p> 581 <p>GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). NOTE: the official GNU Tar manual has an otherwise-empty directory for each "tar xf" in its Security Rules of Thumb; however, third-party advice leads users to run "tar xf" more than once into the same directory.</p> 582 <h2 id="remediation">Remediation</h2> 583 <p>There is no fixed version for <code>Ubuntu:25.04</code> <code>tar</code>.</p> 584 <h2 id="references">References</h2> 585 <ul> 586 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-45582">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-45582</a></li> 587 <li><a href="https://github.com/i900008/vulndb/blob/main/Gnu_tar_vuln.md">https://github.com/i900008/vulndb/blob/main/Gnu_tar_vuln.md</a></li> 588 <li><a href="https://www.gnu.org/software/tar/">https://www.gnu.org/software/tar/</a></li> 589 <li><a href="https://lists.gnu.org/archive/html/bug-tar/2025-08/msg00012.html">https://lists.gnu.org/archive/html/bug-tar/2025-08/msg00012.html</a></li> 590 <li><a href="https://www.gnu.org/software/tar/manual/html_node/Integrity.html">https://www.gnu.org/software/tar/manual/html_node/Integrity.html</a></li> 591 <li><a href="https://www.gnu.org/software/tar/manual/html_node/Security-rules-of-thumb.html">https://www.gnu.org/software/tar/manual/html_node/Security-rules-of-thumb.html</a></li> 592 </ul> 593 594 <hr/> 595 596 <div class="cta card__cta"> 597 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2504-TAR-10769054">More about this vulnerability</a></p> 598 </div> 599 600 </div><!-- .card --> 601 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 602 <h2 class="card__title">CVE-2025-7709</h2> 603 <div class="card__section"> 604 605 <div class="card__labels"> 606 <div class="label label--medium"> 607 <span class="label__text">medium severity</span> 608 </div> 609 </div> 610 611 <hr/> 612 613 <ul class="card__meta"> 614 <li class="card__meta__item"> 615 Manifest file: quay.io/argoproj/argocd:latest/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 616 </li> 617 <li class="card__meta__item"> 618 Package Manager: ubuntu:25.04 619 </li> 620 <li class="card__meta__item"> 621 Vulnerable module: 622 623 sqlite3/libsqlite3-0 624 </li> 625 626 <li class="card__meta__item">Introduced through: 627 628 629 docker-image|quay.io/argoproj/argocd@latest, gnupg2/gpg@2.4.4-2ubuntu23.1 and others 630 </li> 631 </ul> 632 633 <hr/> 634 635 636 <h3 class="card__section__title">Detailed paths</h3> 637 638 <ul class="card__meta__paths"> 639 <li> 640 <span class="list-paths__item__introduced"><em>Introduced through</em>: 641 docker-image|quay.io/argoproj/argocd@latest 642 <span class="list-paths__item__arrow">›</span> 643 gnupg2/gpg@2.4.4-2ubuntu23.1 644 <span class="list-paths__item__arrow">›</span> 645 sqlite3/libsqlite3-0@3.46.1-3ubuntu0.2 646 647 </span> 648 649 </li> 650 </ul><!-- .list-paths --> 651 652 </div><!-- .card__section --> 653 654 <hr/> 655 <!-- Overview --> 656 <h2 id="nvd-description">NVD Description</h2> 657 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>sqlite3</code> package and not the <code>sqlite3</code> package as distributed by <code>Ubuntu</code>.</em> 658 <em>See <code>How to fix?</code> for <code>Ubuntu:25.04</code> relevant fixed versions and status.</em></p> 659 <p>An integer overflow exists in the FTS5 <a href="https://sqlite.org/fts5.html">https://sqlite.org/fts5.html</a> extension. It occurs when the size of an array of tombstone pointers is calculated and truncated into a 32-bit integer. A pointer to partially controlled data can then be written out of bounds.</p> 660 <h2 id="remediation">Remediation</h2> 661 <p>There is no fixed version for <code>Ubuntu:25.04</code> <code>sqlite3</code>.</p> 662 <h2 id="references">References</h2> 663 <ul> 664 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-7709">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-7709</a></li> 665 <li><a href="https://github.com/google/security-research/security/advisories/GHSA-v2c8-vqqp-hv3g">https://github.com/google/security-research/security/advisories/GHSA-v2c8-vqqp-hv3g</a></li> 666 </ul> 667 668 <hr/> 669 670 <div class="cta card__cta"> 671 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2504-SQLITE3-12554292">More about this vulnerability</a></p> 672 </div> 673 674 </div><!-- .card --> 675 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 676 <h2 class="card__title">Out-of-bounds Write</h2> 677 <div class="card__section"> 678 679 <div class="card__labels"> 680 <div class="label label--medium"> 681 <span class="label__text">medium severity</span> 682 </div> 683 </div> 684 685 <hr/> 686 687 <ul class="card__meta"> 688 <li class="card__meta__item"> 689 Manifest file: quay.io/argoproj/argocd:latest/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 690 </li> 691 <li class="card__meta__item"> 692 Package Manager: ubuntu:25.04 693 </li> 694 <li class="card__meta__item"> 695 Vulnerable module: 696 697 pcre2/libpcre2-8-0 698 </li> 699 700 <li class="card__meta__item">Introduced through: 701 702 docker-image|quay.io/argoproj/argocd@latest and pcre2/libpcre2-8-0@10.45-1 703 704 </li> 705 </ul> 706 707 <hr/> 708 709 710 <h3 class="card__section__title">Detailed paths</h3> 711 712 <ul class="card__meta__paths"> 713 <li> 714 <span class="list-paths__item__introduced"><em>Introduced through</em>: 715 docker-image|quay.io/argoproj/argocd@latest 716 <span class="list-paths__item__arrow">›</span> 717 pcre2/libpcre2-8-0@10.45-1 718 719 </span> 720 721 </li> 722 <li> 723 <span class="list-paths__item__introduced"><em>Introduced through</em>: 724 docker-image|quay.io/argoproj/argocd@latest 725 <span class="list-paths__item__arrow">›</span> 726 git@1:2.48.1-0ubuntu1.1 727 <span class="list-paths__item__arrow">›</span> 728 pcre2/libpcre2-8-0@10.45-1 729 730 </span> 731 732 </li> 733 <li> 734 <span class="list-paths__item__introduced"><em>Introduced through</em>: 735 docker-image|quay.io/argoproj/argocd@latest 736 <span class="list-paths__item__arrow">›</span> 737 grep@3.11-4build1 738 <span class="list-paths__item__arrow">›</span> 739 pcre2/libpcre2-8-0@10.45-1 740 741 </span> 742 743 </li> 744 <li> 745 <span class="list-paths__item__introduced"><em>Introduced through</em>: 746 docker-image|quay.io/argoproj/argocd@latest 747 <span class="list-paths__item__arrow">›</span> 748 apt@3.0.0 749 <span class="list-paths__item__arrow">›</span> 750 base-passwd@3.6.6 751 <span class="list-paths__item__arrow">›</span> 752 libselinux/libselinux1@3.7-3ubuntu3 753 <span class="list-paths__item__arrow">›</span> 754 pcre2/libpcre2-8-0@10.45-1 755 756 </span> 757 758 </li> 759 </ul><!-- .list-paths --> 760 761 </div><!-- .card__section --> 762 763 <hr/> 764 <!-- Overview --> 765 <h2 id="nvd-description">NVD Description</h2> 766 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>pcre2</code> package and not the <code>pcre2</code> package as distributed by <code>Ubuntu</code>.</em> 767 <em>See <code>How to fix?</code> for <code>Ubuntu:25.04</code> relevant fixed versions and status.</em></p> 768 <p>The PCRE2 library is a set of C functions that implement regular expression pattern matching. In version 10.45, a heap-buffer-overflow read vulnerability exists in the PCRE2 regular expression matching engine, specifically within the handling of the (*scs:...) (Scan SubString) verb when combined with (*ACCEPT) in src/pcre2_match.c. This vulnerability may potentially lead to information disclosure if the out-of-bounds data read during the memcmp affects the final match result in a way observable by the attacker. This issue has been resolved in version 10.46.</p> 769 <h2 id="remediation">Remediation</h2> 770 <p>There is no fixed version for <code>Ubuntu:25.04</code> <code>pcre2</code>.</p> 771 <h2 id="references">References</h2> 772 <ul> 773 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-58050">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-58050</a></li> 774 <li><a href="https://github.com/PCRE2Project/pcre2/commit/a141712e5967d448c7ce13090ab530c8e3d82254">https://github.com/PCRE2Project/pcre2/commit/a141712e5967d448c7ce13090ab530c8e3d82254</a></li> 775 <li><a href="https://github.com/PCRE2Project/pcre2/releases/tag/pcre2-10.46">https://github.com/PCRE2Project/pcre2/releases/tag/pcre2-10.46</a></li> 776 <li><a href="https://github.com/PCRE2Project/pcre2/security/advisories/GHSA-c2gv-xgf5-5cc2">https://github.com/PCRE2Project/pcre2/security/advisories/GHSA-c2gv-xgf5-5cc2</a></li> 777 </ul> 778 779 <hr/> 780 781 <div class="cta card__cta"> 782 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2504-PCRE2-12225997">More about this vulnerability</a></p> 783 </div> 784 785 </div><!-- .card --> 786 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 787 <h2 class="card__title">Improper Authentication</h2> 788 <div class="card__section"> 789 790 <div class="card__labels"> 791 <div class="label label--medium"> 792 <span class="label__text">medium severity</span> 793 </div> 794 </div> 795 796 <hr/> 797 798 <ul class="card__meta"> 799 <li class="card__meta__item"> 800 Manifest file: quay.io/argoproj/argocd:latest/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 801 </li> 802 <li class="card__meta__item"> 803 Package Manager: ubuntu:25.04 804 </li> 805 <li class="card__meta__item"> 806 Vulnerable module: 807 808 pam/libpam0g 809 </li> 810 811 <li class="card__meta__item">Introduced through: 812 813 docker-image|quay.io/argoproj/argocd@latest and pam/libpam0g@1.5.3-7ubuntu4.3 814 815 </li> 816 </ul> 817 818 <hr/> 819 820 821 <h3 class="card__section__title">Detailed paths</h3> 822 823 <ul class="card__meta__paths"> 824 <li> 825 <span class="list-paths__item__introduced"><em>Introduced through</em>: 826 docker-image|quay.io/argoproj/argocd@latest 827 <span class="list-paths__item__arrow">›</span> 828 pam/libpam0g@1.5.3-7ubuntu4.3 829 830 </span> 831 832 </li> 833 <li> 834 <span class="list-paths__item__introduced"><em>Introduced through</em>: 835 docker-image|quay.io/argoproj/argocd@latest 836 <span class="list-paths__item__arrow">›</span> 837 util-linux@2.40.2-14ubuntu1.1 838 <span class="list-paths__item__arrow">›</span> 839 pam/libpam0g@1.5.3-7ubuntu4.3 840 841 </span> 842 843 </li> 844 <li> 845 <span class="list-paths__item__introduced"><em>Introduced through</em>: 846 docker-image|quay.io/argoproj/argocd@latest 847 <span class="list-paths__item__arrow">›</span> 848 util-linux/login@1:4.16.0-2+really2.40.2-14ubuntu1.1 849 <span class="list-paths__item__arrow">›</span> 850 pam/libpam0g@1.5.3-7ubuntu4.3 851 852 </span> 853 854 </li> 855 <li> 856 <span class="list-paths__item__introduced"><em>Introduced through</em>: 857 docker-image|quay.io/argoproj/argocd@latest 858 <span class="list-paths__item__arrow">›</span> 859 apt@3.0.0 860 <span class="list-paths__item__arrow">›</span> 861 adduser@3.137ubuntu2 862 <span class="list-paths__item__arrow">›</span> 863 shadow/passwd@1:4.16.0-7ubuntu1 864 <span class="list-paths__item__arrow">›</span> 865 pam/libpam0g@1.5.3-7ubuntu4.3 866 867 </span> 868 869 </li> 870 <li> 871 <span class="list-paths__item__introduced"><em>Introduced through</em>: 872 docker-image|quay.io/argoproj/argocd@latest 873 <span class="list-paths__item__arrow">›</span> 874 apt@3.0.0 875 <span class="list-paths__item__arrow">›</span> 876 adduser@3.137ubuntu2 877 <span class="list-paths__item__arrow">›</span> 878 shadow/passwd@1:4.16.0-7ubuntu1 879 <span class="list-paths__item__arrow">›</span> 880 pam/libpam-modules@1.5.3-7ubuntu4.3 881 <span class="list-paths__item__arrow">›</span> 882 pam/libpam0g@1.5.3-7ubuntu4.3 883 884 </span> 885 886 </li> 887 <li> 888 <span class="list-paths__item__introduced"><em>Introduced through</em>: 889 docker-image|quay.io/argoproj/argocd@latest 890 <span class="list-paths__item__arrow">›</span> 891 apt@3.0.0 892 <span class="list-paths__item__arrow">›</span> 893 adduser@3.137ubuntu2 894 <span class="list-paths__item__arrow">›</span> 895 shadow/passwd@1:4.16.0-7ubuntu1 896 <span class="list-paths__item__arrow">›</span> 897 pam/libpam-modules@1.5.3-7ubuntu4.3 898 <span class="list-paths__item__arrow">›</span> 899 pam/libpam-modules-bin@1.5.3-7ubuntu4.3 900 <span class="list-paths__item__arrow">›</span> 901 pam/libpam0g@1.5.3-7ubuntu4.3 902 903 </span> 904 905 </li> 906 <li> 907 <span class="list-paths__item__introduced"><em>Introduced through</em>: 908 docker-image|quay.io/argoproj/argocd@latest 909 <span class="list-paths__item__arrow">›</span> 910 pam/libpam-modules-bin@1.5.3-7ubuntu4.3 911 912 </span> 913 914 </li> 915 <li> 916 <span class="list-paths__item__introduced"><em>Introduced through</em>: 917 docker-image|quay.io/argoproj/argocd@latest 918 <span class="list-paths__item__arrow">›</span> 919 apt@3.0.0 920 <span class="list-paths__item__arrow">›</span> 921 adduser@3.137ubuntu2 922 <span class="list-paths__item__arrow">›</span> 923 shadow/passwd@1:4.16.0-7ubuntu1 924 <span class="list-paths__item__arrow">›</span> 925 pam/libpam-modules@1.5.3-7ubuntu4.3 926 <span class="list-paths__item__arrow">›</span> 927 pam/libpam-modules-bin@1.5.3-7ubuntu4.3 928 929 </span> 930 931 </li> 932 <li> 933 <span class="list-paths__item__introduced"><em>Introduced through</em>: 934 docker-image|quay.io/argoproj/argocd@latest 935 <span class="list-paths__item__arrow">›</span> 936 pam/libpam-modules@1.5.3-7ubuntu4.3 937 938 </span> 939 940 </li> 941 <li> 942 <span class="list-paths__item__introduced"><em>Introduced through</em>: 943 docker-image|quay.io/argoproj/argocd@latest 944 <span class="list-paths__item__arrow">›</span> 945 pam/libpam-runtime@1.5.3-7ubuntu4.3 946 <span class="list-paths__item__arrow">›</span> 947 pam/libpam-modules@1.5.3-7ubuntu4.3 948 949 </span> 950 951 </li> 952 <li> 953 <span class="list-paths__item__introduced"><em>Introduced through</em>: 954 docker-image|quay.io/argoproj/argocd@latest 955 <span class="list-paths__item__arrow">›</span> 956 util-linux@2.40.2-14ubuntu1.1 957 <span class="list-paths__item__arrow">›</span> 958 pam/libpam-modules@1.5.3-7ubuntu4.3 959 960 </span> 961 962 </li> 963 <li> 964 <span class="list-paths__item__introduced"><em>Introduced through</em>: 965 docker-image|quay.io/argoproj/argocd@latest 966 <span class="list-paths__item__arrow">›</span> 967 util-linux/login@1:4.16.0-2+really2.40.2-14ubuntu1.1 968 <span class="list-paths__item__arrow">›</span> 969 pam/libpam-modules@1.5.3-7ubuntu4.3 970 971 </span> 972 973 </li> 974 <li> 975 <span class="list-paths__item__introduced"><em>Introduced through</em>: 976 docker-image|quay.io/argoproj/argocd@latest 977 <span class="list-paths__item__arrow">›</span> 978 apt@3.0.0 979 <span class="list-paths__item__arrow">›</span> 980 adduser@3.137ubuntu2 981 <span class="list-paths__item__arrow">›</span> 982 shadow/passwd@1:4.16.0-7ubuntu1 983 <span class="list-paths__item__arrow">›</span> 984 pam/libpam-modules@1.5.3-7ubuntu4.3 985 986 </span> 987 988 </li> 989 <li> 990 <span class="list-paths__item__introduced"><em>Introduced through</em>: 991 docker-image|quay.io/argoproj/argocd@latest 992 <span class="list-paths__item__arrow">›</span> 993 pam/libpam-runtime@1.5.3-7ubuntu4.3 994 995 </span> 996 997 </li> 998 <li> 999 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1000 docker-image|quay.io/argoproj/argocd@latest 1001 <span class="list-paths__item__arrow">›</span> 1002 util-linux@2.40.2-14ubuntu1.1 1003 <span class="list-paths__item__arrow">›</span> 1004 pam/libpam-runtime@1.5.3-7ubuntu4.3 1005 1006 </span> 1007 1008 </li> 1009 <li> 1010 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1011 docker-image|quay.io/argoproj/argocd@latest 1012 <span class="list-paths__item__arrow">›</span> 1013 util-linux/login@1:4.16.0-2+really2.40.2-14ubuntu1.1 1014 <span class="list-paths__item__arrow">›</span> 1015 pam/libpam-runtime@1.5.3-7ubuntu4.3 1016 1017 </span> 1018 1019 </li> 1020 </ul><!-- .list-paths --> 1021 1022 </div><!-- .card__section --> 1023 1024 <hr/> 1025 <!-- Overview --> 1026 <h2 id="nvd-description">NVD Description</h2> 1027 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>pam</code> package and not the <code>pam</code> package as distributed by <code>Ubuntu</code>.</em> 1028 <em>See <code>How to fix?</code> for <code>Ubuntu:25.04</code> relevant fixed versions and status.</em></p> 1029 <p>A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals.</p> 1030 <h2 id="remediation">Remediation</h2> 1031 <p>There is no fixed version for <code>Ubuntu:25.04</code> <code>pam</code>.</p> 1032 <h2 id="references">References</h2> 1033 <ul> 1034 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-10963">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-10963</a></li> 1035 <li><a href="https://access.redhat.com/security/cve/CVE-2024-10963">https://access.redhat.com/security/cve/CVE-2024-10963</a></li> 1036 <li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=2324291">https://bugzilla.redhat.com/show_bug.cgi?id=2324291</a></li> 1037 <li><a href="https://access.redhat.com/errata/RHSA-2024:10232">https://access.redhat.com/errata/RHSA-2024:10232</a></li> 1038 <li><a href="https://access.redhat.com/errata/RHSA-2024:10244">https://access.redhat.com/errata/RHSA-2024:10244</a></li> 1039 <li><a href="https://access.redhat.com/errata/RHSA-2024:10379">https://access.redhat.com/errata/RHSA-2024:10379</a></li> 1040 <li><a href="https://access.redhat.com/errata/RHSA-2024:10518">https://access.redhat.com/errata/RHSA-2024:10518</a></li> 1041 <li><a href="https://access.redhat.com/errata/RHSA-2024:10528">https://access.redhat.com/errata/RHSA-2024:10528</a></li> 1042 <li><a href="https://access.redhat.com/errata/RHSA-2024:10852">https://access.redhat.com/errata/RHSA-2024:10852</a></li> 1043 </ul> 1044 1045 <hr/> 1046 1047 <div class="cta card__cta"> 1048 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2504-PAM-9795583">More about this vulnerability</a></p> 1049 </div> 1050 1051 </div><!-- .card --> 1052 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1053 <h2 class="card__title">Insecure Storage of Sensitive Information</h2> 1054 <div class="card__section"> 1055 1056 <div class="card__labels"> 1057 <div class="label label--medium"> 1058 <span class="label__text">medium severity</span> 1059 </div> 1060 </div> 1061 1062 <hr/> 1063 1064 <ul class="card__meta"> 1065 <li class="card__meta__item"> 1066 Manifest file: quay.io/argoproj/argocd:latest/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 1067 </li> 1068 <li class="card__meta__item"> 1069 Package Manager: ubuntu:25.04 1070 </li> 1071 <li class="card__meta__item"> 1072 Vulnerable module: 1073 1074 pam/libpam0g 1075 </li> 1076 1077 <li class="card__meta__item">Introduced through: 1078 1079 docker-image|quay.io/argoproj/argocd@latest and pam/libpam0g@1.5.3-7ubuntu4.3 1080 1081 </li> 1082 </ul> 1083 1084 <hr/> 1085 1086 1087 <h3 class="card__section__title">Detailed paths</h3> 1088 1089 <ul class="card__meta__paths"> 1090 <li> 1091 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1092 docker-image|quay.io/argoproj/argocd@latest 1093 <span class="list-paths__item__arrow">›</span> 1094 pam/libpam0g@1.5.3-7ubuntu4.3 1095 1096 </span> 1097 1098 </li> 1099 <li> 1100 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1101 docker-image|quay.io/argoproj/argocd@latest 1102 <span class="list-paths__item__arrow">›</span> 1103 util-linux@2.40.2-14ubuntu1.1 1104 <span class="list-paths__item__arrow">›</span> 1105 pam/libpam0g@1.5.3-7ubuntu4.3 1106 1107 </span> 1108 1109 </li> 1110 <li> 1111 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1112 docker-image|quay.io/argoproj/argocd@latest 1113 <span class="list-paths__item__arrow">›</span> 1114 util-linux/login@1:4.16.0-2+really2.40.2-14ubuntu1.1 1115 <span class="list-paths__item__arrow">›</span> 1116 pam/libpam0g@1.5.3-7ubuntu4.3 1117 1118 </span> 1119 1120 </li> 1121 <li> 1122 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1123 docker-image|quay.io/argoproj/argocd@latest 1124 <span class="list-paths__item__arrow">›</span> 1125 apt@3.0.0 1126 <span class="list-paths__item__arrow">›</span> 1127 adduser@3.137ubuntu2 1128 <span class="list-paths__item__arrow">›</span> 1129 shadow/passwd@1:4.16.0-7ubuntu1 1130 <span class="list-paths__item__arrow">›</span> 1131 pam/libpam0g@1.5.3-7ubuntu4.3 1132 1133 </span> 1134 1135 </li> 1136 <li> 1137 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1138 docker-image|quay.io/argoproj/argocd@latest 1139 <span class="list-paths__item__arrow">›</span> 1140 apt@3.0.0 1141 <span class="list-paths__item__arrow">›</span> 1142 adduser@3.137ubuntu2 1143 <span class="list-paths__item__arrow">›</span> 1144 shadow/passwd@1:4.16.0-7ubuntu1 1145 <span class="list-paths__item__arrow">›</span> 1146 pam/libpam-modules@1.5.3-7ubuntu4.3 1147 <span class="list-paths__item__arrow">›</span> 1148 pam/libpam0g@1.5.3-7ubuntu4.3 1149 1150 </span> 1151 1152 </li> 1153 <li> 1154 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1155 docker-image|quay.io/argoproj/argocd@latest 1156 <span class="list-paths__item__arrow">›</span> 1157 apt@3.0.0 1158 <span class="list-paths__item__arrow">›</span> 1159 adduser@3.137ubuntu2 1160 <span class="list-paths__item__arrow">›</span> 1161 shadow/passwd@1:4.16.0-7ubuntu1 1162 <span class="list-paths__item__arrow">›</span> 1163 pam/libpam-modules@1.5.3-7ubuntu4.3 1164 <span class="list-paths__item__arrow">›</span> 1165 pam/libpam-modules-bin@1.5.3-7ubuntu4.3 1166 <span class="list-paths__item__arrow">›</span> 1167 pam/libpam0g@1.5.3-7ubuntu4.3 1168 1169 </span> 1170 1171 </li> 1172 <li> 1173 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1174 docker-image|quay.io/argoproj/argocd@latest 1175 <span class="list-paths__item__arrow">›</span> 1176 pam/libpam-modules-bin@1.5.3-7ubuntu4.3 1177 1178 </span> 1179 1180 </li> 1181 <li> 1182 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1183 docker-image|quay.io/argoproj/argocd@latest 1184 <span class="list-paths__item__arrow">›</span> 1185 apt@3.0.0 1186 <span class="list-paths__item__arrow">›</span> 1187 adduser@3.137ubuntu2 1188 <span class="list-paths__item__arrow">›</span> 1189 shadow/passwd@1:4.16.0-7ubuntu1 1190 <span class="list-paths__item__arrow">›</span> 1191 pam/libpam-modules@1.5.3-7ubuntu4.3 1192 <span class="list-paths__item__arrow">›</span> 1193 pam/libpam-modules-bin@1.5.3-7ubuntu4.3 1194 1195 </span> 1196 1197 </li> 1198 <li> 1199 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1200 docker-image|quay.io/argoproj/argocd@latest 1201 <span class="list-paths__item__arrow">›</span> 1202 pam/libpam-modules@1.5.3-7ubuntu4.3 1203 1204 </span> 1205 1206 </li> 1207 <li> 1208 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1209 docker-image|quay.io/argoproj/argocd@latest 1210 <span class="list-paths__item__arrow">›</span> 1211 pam/libpam-runtime@1.5.3-7ubuntu4.3 1212 <span class="list-paths__item__arrow">›</span> 1213 pam/libpam-modules@1.5.3-7ubuntu4.3 1214 1215 </span> 1216 1217 </li> 1218 <li> 1219 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1220 docker-image|quay.io/argoproj/argocd@latest 1221 <span class="list-paths__item__arrow">›</span> 1222 util-linux@2.40.2-14ubuntu1.1 1223 <span class="list-paths__item__arrow">›</span> 1224 pam/libpam-modules@1.5.3-7ubuntu4.3 1225 1226 </span> 1227 1228 </li> 1229 <li> 1230 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1231 docker-image|quay.io/argoproj/argocd@latest 1232 <span class="list-paths__item__arrow">›</span> 1233 util-linux/login@1:4.16.0-2+really2.40.2-14ubuntu1.1 1234 <span class="list-paths__item__arrow">›</span> 1235 pam/libpam-modules@1.5.3-7ubuntu4.3 1236 1237 </span> 1238 1239 </li> 1240 <li> 1241 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1242 docker-image|quay.io/argoproj/argocd@latest 1243 <span class="list-paths__item__arrow">›</span> 1244 apt@3.0.0 1245 <span class="list-paths__item__arrow">›</span> 1246 adduser@3.137ubuntu2 1247 <span class="list-paths__item__arrow">›</span> 1248 shadow/passwd@1:4.16.0-7ubuntu1 1249 <span class="list-paths__item__arrow">›</span> 1250 pam/libpam-modules@1.5.3-7ubuntu4.3 1251 1252 </span> 1253 1254 </li> 1255 <li> 1256 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1257 docker-image|quay.io/argoproj/argocd@latest 1258 <span class="list-paths__item__arrow">›</span> 1259 pam/libpam-runtime@1.5.3-7ubuntu4.3 1260 1261 </span> 1262 1263 </li> 1264 <li> 1265 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1266 docker-image|quay.io/argoproj/argocd@latest 1267 <span class="list-paths__item__arrow">›</span> 1268 util-linux@2.40.2-14ubuntu1.1 1269 <span class="list-paths__item__arrow">›</span> 1270 pam/libpam-runtime@1.5.3-7ubuntu4.3 1271 1272 </span> 1273 1274 </li> 1275 <li> 1276 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1277 docker-image|quay.io/argoproj/argocd@latest 1278 <span class="list-paths__item__arrow">›</span> 1279 util-linux/login@1:4.16.0-2+really2.40.2-14ubuntu1.1 1280 <span class="list-paths__item__arrow">›</span> 1281 pam/libpam-runtime@1.5.3-7ubuntu4.3 1282 1283 </span> 1284 1285 </li> 1286 </ul><!-- .list-paths --> 1287 1288 </div><!-- .card__section --> 1289 1290 <hr/> 1291 <!-- Overview --> 1292 <h2 id="nvd-description">NVD Description</h2> 1293 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>pam</code> package and not the <code>pam</code> package as distributed by <code>Ubuntu</code>.</em> 1294 <em>See <code>How to fix?</code> for <code>Ubuntu:25.04</code> relevant fixed versions and status.</em></p> 1295 <p>A vulnerability was found in PAM. The secret information is stored in memory, where the attacker can trigger the victim program to execute by sending characters to its standard input (stdin). As this occurs, the attacker can train the branch predictor to execute an ROP chain speculatively. This flaw could result in leaked passwords, such as those found in /etc/shadow while performing authentications.</p> 1296 <h2 id="remediation">Remediation</h2> 1297 <p>There is no fixed version for <code>Ubuntu:25.04</code> <code>pam</code>.</p> 1298 <h2 id="references">References</h2> 1299 <ul> 1300 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-10041">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-10041</a></li> 1301 <li><a href="https://access.redhat.com/security/cve/CVE-2024-10041">https://access.redhat.com/security/cve/CVE-2024-10041</a></li> 1302 <li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=2319212">https://bugzilla.redhat.com/show_bug.cgi?id=2319212</a></li> 1303 <li><a href="https://access.redhat.com/errata/RHSA-2024:9941">https://access.redhat.com/errata/RHSA-2024:9941</a></li> 1304 <li><a href="https://access.redhat.com/errata/RHSA-2024:10379">https://access.redhat.com/errata/RHSA-2024:10379</a></li> 1305 <li><a href="https://access.redhat.com/errata/RHSA-2024:11250">https://access.redhat.com/errata/RHSA-2024:11250</a></li> 1306 </ul> 1307 1308 <hr/> 1309 1310 <div class="cta card__cta"> 1311 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2504-PAM-9795712">More about this vulnerability</a></p> 1312 </div> 1313 1314 </div><!-- .card --> 1315 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1316 <h2 class="card__title">CVE-2025-8058</h2> 1317 <div class="card__section"> 1318 1319 <div class="card__labels"> 1320 <div class="label label--medium"> 1321 <span class="label__text">medium severity</span> 1322 </div> 1323 </div> 1324 1325 <hr/> 1326 1327 <ul class="card__meta"> 1328 <li class="card__meta__item"> 1329 Manifest file: quay.io/argoproj/argocd:latest/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 1330 </li> 1331 <li class="card__meta__item"> 1332 Package Manager: ubuntu:25.04 1333 </li> 1334 <li class="card__meta__item"> 1335 Vulnerable module: 1336 1337 glibc/libc-bin 1338 </li> 1339 1340 <li class="card__meta__item">Introduced through: 1341 1342 docker-image|quay.io/argoproj/argocd@latest and glibc/libc-bin@2.41-6ubuntu1.1 1343 1344 </li> 1345 </ul> 1346 1347 <hr/> 1348 1349 1350 <h3 class="card__section__title">Detailed paths</h3> 1351 1352 <ul class="card__meta__paths"> 1353 <li> 1354 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1355 docker-image|quay.io/argoproj/argocd@latest 1356 <span class="list-paths__item__arrow">›</span> 1357 glibc/libc-bin@2.41-6ubuntu1.1 1358 1359 </span> 1360 1361 </li> 1362 <li> 1363 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1364 docker-image|quay.io/argoproj/argocd@latest 1365 <span class="list-paths__item__arrow">›</span> 1366 glibc/libc6@2.41-6ubuntu1.1 1367 1368 </span> 1369 1370 </li> 1371 </ul><!-- .list-paths --> 1372 1373 </div><!-- .card__section --> 1374 1375 <hr/> 1376 <!-- Overview --> 1377 <h2 id="nvd-description">NVD Description</h2> 1378 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>glibc</code> package and not the <code>glibc</code> package as distributed by <code>Ubuntu</code>.</em> 1379 <em>See <code>How to fix?</code> for <code>Ubuntu:25.04</code> relevant fixed versions and status.</em></p> 1380 <p>The regcomp function in the GNU C library version from 2.4 to 2.41 is 1381 subject to a double free if some previous allocation fails. It can be 1382 accomplished either by a malloc failure or by using an interposed malloc 1383 that injects random malloc failures. The double free can allow buffer 1384 manipulation depending of how the regex is constructed. This issue 1385 affects all architectures and ABIs supported by the GNU C library.</p> 1386 <h2 id="remediation">Remediation</h2> 1387 <p>There is no fixed version for <code>Ubuntu:25.04</code> <code>glibc</code>.</p> 1388 <h2 id="references">References</h2> 1389 <ul> 1390 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-8058">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-8058</a></li> 1391 <li><a href="https://sourceware.org/bugzilla/show_bug.cgi?id=33185">https://sourceware.org/bugzilla/show_bug.cgi?id=33185</a></li> 1392 <li><a href="https://sourceware.org/git/?p=glibc.git;a=commit;h=3ff17af18c38727b88d9115e536c069e6b5d601f">https://sourceware.org/git/?p=glibc.git;a=commit;h=3ff17af18c38727b88d9115e536c069e6b5d601f</a></li> 1393 </ul> 1394 1395 <hr/> 1396 1397 <div class="cta card__cta"> 1398 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2504-GLIBC-11031047">More about this vulnerability</a></p> 1399 </div> 1400 1401 </div><!-- .card --> 1402 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1403 <h2 class="card__title">MPL-2.0 license</h2> 1404 <div class="card__section"> 1405 1406 <div class="card__labels"> 1407 <div class="label label--medium"> 1408 <span class="label__text">medium severity</span> 1409 </div> 1410 </div> 1411 1412 <hr/> 1413 1414 <ul class="card__meta"> 1415 <li class="card__meta__item"> 1416 Manifest file: quay.io/argoproj/argocd:latest/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd 1417 </li> 1418 <li class="card__meta__item"> 1419 Package Manager: golang 1420 </li> 1421 <li class="card__meta__item"> 1422 Module: 1423 1424 github.com/r3labs/diff/v3 1425 </li> 1426 1427 <li class="card__meta__item">Introduced through: 1428 1429 github.com/argoproj/argo-cd/v3@* and github.com/r3labs/diff/v3@v3.0.2 1430 1431 </li> 1432 </ul> 1433 1434 <hr/> 1435 1436 1437 <h3 class="card__section__title">Detailed paths</h3> 1438 1439 <ul class="card__meta__paths"> 1440 <li> 1441 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1442 github.com/argoproj/argo-cd/v3@* 1443 <span class="list-paths__item__arrow">›</span> 1444 github.com/r3labs/diff/v3@v3.0.2 1445 1446 </span> 1447 1448 </li> 1449 </ul><!-- .list-paths --> 1450 1451 </div><!-- .card__section --> 1452 1453 <hr/> 1454 <!-- Overview --> 1455 <p>MPL-2.0 license</p> 1456 1457 <hr/> 1458 1459 <div class="cta card__cta"> 1460 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:r3labs:diff:v3:MPL-2.0">More about this vulnerability</a></p> 1461 </div> 1462 1463 </div><!-- .card --> 1464 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1465 <h2 class="card__title">MPL-2.0 license</h2> 1466 <div class="card__section"> 1467 1468 <div class="card__labels"> 1469 <div class="label label--medium"> 1470 <span class="label__text">medium severity</span> 1471 </div> 1472 </div> 1473 1474 <hr/> 1475 1476 <ul class="card__meta"> 1477 <li class="card__meta__item"> 1478 Manifest file: quay.io/argoproj/argocd:latest/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd 1479 </li> 1480 <li class="card__meta__item"> 1481 Package Manager: golang 1482 </li> 1483 <li class="card__meta__item"> 1484 Module: 1485 1486 github.com/hashicorp/go-version 1487 </li> 1488 1489 <li class="card__meta__item">Introduced through: 1490 1491 github.com/argoproj/argo-cd/v3@* and github.com/hashicorp/go-version@v1.7.0 1492 1493 </li> 1494 </ul> 1495 1496 <hr/> 1497 1498 1499 <h3 class="card__section__title">Detailed paths</h3> 1500 1501 <ul class="card__meta__paths"> 1502 <li> 1503 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1504 github.com/argoproj/argo-cd/v3@* 1505 <span class="list-paths__item__arrow">›</span> 1506 github.com/hashicorp/go-version@v1.7.0 1507 1508 </span> 1509 1510 </li> 1511 </ul><!-- .list-paths --> 1512 1513 </div><!-- .card__section --> 1514 1515 <hr/> 1516 <!-- Overview --> 1517 <p>MPL-2.0 license</p> 1518 1519 <hr/> 1520 1521 <div class="cta card__cta"> 1522 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-version:MPL-2.0">More about this vulnerability</a></p> 1523 </div> 1524 1525 </div><!-- .card --> 1526 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1527 <h2 class="card__title">MPL-2.0 license</h2> 1528 <div class="card__section"> 1529 1530 <div class="card__labels"> 1531 <div class="label label--medium"> 1532 <span class="label__text">medium severity</span> 1533 </div> 1534 </div> 1535 1536 <hr/> 1537 1538 <ul class="card__meta"> 1539 <li class="card__meta__item"> 1540 Manifest file: quay.io/argoproj/argocd:latest/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd 1541 </li> 1542 <li class="card__meta__item"> 1543 Package Manager: golang 1544 </li> 1545 <li class="card__meta__item"> 1546 Module: 1547 1548 github.com/hashicorp/go-retryablehttp 1549 </li> 1550 1551 <li class="card__meta__item">Introduced through: 1552 1553 github.com/argoproj/argo-cd/v3@* and github.com/hashicorp/go-retryablehttp@v0.7.8 1554 1555 </li> 1556 </ul> 1557 1558 <hr/> 1559 1560 1561 <h3 class="card__section__title">Detailed paths</h3> 1562 1563 <ul class="card__meta__paths"> 1564 <li> 1565 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1566 github.com/argoproj/argo-cd/v3@* 1567 <span class="list-paths__item__arrow">›</span> 1568 github.com/hashicorp/go-retryablehttp@v0.7.8 1569 1570 </span> 1571 1572 </li> 1573 </ul><!-- .list-paths --> 1574 1575 </div><!-- .card__section --> 1576 1577 <hr/> 1578 <!-- Overview --> 1579 <p>MPL-2.0 license</p> 1580 1581 <hr/> 1582 1583 <div class="cta card__cta"> 1584 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-retryablehttp:MPL-2.0">More about this vulnerability</a></p> 1585 </div> 1586 1587 </div><!-- .card --> 1588 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1589 <h2 class="card__title">MPL-2.0 license</h2> 1590 <div class="card__section"> 1591 1592 <div class="card__labels"> 1593 <div class="label label--medium"> 1594 <span class="label__text">medium severity</span> 1595 </div> 1596 </div> 1597 1598 <hr/> 1599 1600 <ul class="card__meta"> 1601 <li class="card__meta__item"> 1602 Manifest file: quay.io/argoproj/argocd:latest/helm/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/helm 1603 </li> 1604 <li class="card__meta__item"> 1605 Package Manager: golang 1606 </li> 1607 <li class="card__meta__item"> 1608 Module: 1609 1610 github.com/hashicorp/go-multierror 1611 </li> 1612 1613 <li class="card__meta__item">Introduced through: 1614 1615 helm.sh/helm/v3@* and github.com/hashicorp/go-multierror@v1.1.1 1616 1617 </li> 1618 </ul> 1619 1620 <hr/> 1621 1622 1623 <h3 class="card__section__title">Detailed paths</h3> 1624 1625 <ul class="card__meta__paths"> 1626 <li> 1627 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1628 helm.sh/helm/v3@* 1629 <span class="list-paths__item__arrow">›</span> 1630 github.com/hashicorp/go-multierror@v1.1.1 1631 1632 </span> 1633 1634 </li> 1635 </ul><!-- .list-paths --> 1636 1637 </div><!-- .card__section --> 1638 1639 <hr/> 1640 <!-- Overview --> 1641 <p>MPL-2.0 license</p> 1642 1643 <hr/> 1644 1645 <div class="cta card__cta"> 1646 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-multierror:MPL-2.0">More about this vulnerability</a></p> 1647 </div> 1648 1649 </div><!-- .card --> 1650 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1651 <h2 class="card__title">MPL-2.0 license</h2> 1652 <div class="card__section"> 1653 1654 <div class="card__labels"> 1655 <div class="label label--medium"> 1656 <span class="label__text">medium severity</span> 1657 </div> 1658 </div> 1659 1660 <hr/> 1661 1662 <ul class="card__meta"> 1663 <li class="card__meta__item"> 1664 Manifest file: quay.io/argoproj/argocd:latest/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd 1665 </li> 1666 <li class="card__meta__item"> 1667 Package Manager: golang 1668 </li> 1669 <li class="card__meta__item"> 1670 Module: 1671 1672 github.com/hashicorp/go-cleanhttp 1673 </li> 1674 1675 <li class="card__meta__item">Introduced through: 1676 1677 github.com/argoproj/argo-cd/v3@* and github.com/hashicorp/go-cleanhttp@v0.5.2 1678 1679 </li> 1680 </ul> 1681 1682 <hr/> 1683 1684 1685 <h3 class="card__section__title">Detailed paths</h3> 1686 1687 <ul class="card__meta__paths"> 1688 <li> 1689 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1690 github.com/argoproj/argo-cd/v3@* 1691 <span class="list-paths__item__arrow">›</span> 1692 github.com/hashicorp/go-cleanhttp@v0.5.2 1693 1694 </span> 1695 1696 </li> 1697 </ul><!-- .list-paths --> 1698 1699 </div><!-- .card__section --> 1700 1701 <hr/> 1702 <!-- Overview --> 1703 <p>MPL-2.0 license</p> 1704 1705 <hr/> 1706 1707 <div class="cta card__cta"> 1708 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-cleanhttp:MPL-2.0">More about this vulnerability</a></p> 1709 </div> 1710 1711 </div><!-- .card --> 1712 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1713 <h2 class="card__title">MPL-2.0 license</h2> 1714 <div class="card__section"> 1715 1716 <div class="card__labels"> 1717 <div class="label label--medium"> 1718 <span class="label__text">medium severity</span> 1719 </div> 1720 </div> 1721 1722 <hr/> 1723 1724 <ul class="card__meta"> 1725 <li class="card__meta__item"> 1726 Manifest file: quay.io/argoproj/argocd:latest/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd 1727 </li> 1728 <li class="card__meta__item"> 1729 Package Manager: golang 1730 </li> 1731 <li class="card__meta__item"> 1732 Module: 1733 1734 github.com/gosimple/slug 1735 </li> 1736 1737 <li class="card__meta__item">Introduced through: 1738 1739 github.com/argoproj/argo-cd/v3@* and github.com/gosimple/slug@v1.15.0 1740 1741 </li> 1742 </ul> 1743 1744 <hr/> 1745 1746 1747 <h3 class="card__section__title">Detailed paths</h3> 1748 1749 <ul class="card__meta__paths"> 1750 <li> 1751 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1752 github.com/argoproj/argo-cd/v3@* 1753 <span class="list-paths__item__arrow">›</span> 1754 github.com/gosimple/slug@v1.15.0 1755 1756 </span> 1757 1758 </li> 1759 </ul><!-- .list-paths --> 1760 1761 </div><!-- .card__section --> 1762 1763 <hr/> 1764 <!-- Overview --> 1765 <p>MPL-2.0 license</p> 1766 1767 <hr/> 1768 1769 <div class="cta card__cta"> 1770 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:gosimple:slug:MPL-2.0">More about this vulnerability</a></p> 1771 </div> 1772 1773 </div><!-- .card --> 1774 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1775 <h2 class="card__title">Improper Encoding or Escaping of Output</h2> 1776 <div class="card__section"> 1777 1778 <div class="card__labels"> 1779 <div class="label label--medium"> 1780 <span class="label__text">medium severity</span> 1781 </div> 1782 </div> 1783 1784 <hr/> 1785 1786 <ul class="card__meta"> 1787 <li class="card__meta__item"> 1788 Manifest file: quay.io/argoproj/argocd:latest/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 1789 </li> 1790 <li class="card__meta__item"> 1791 Package Manager: ubuntu:25.04 1792 </li> 1793 <li class="card__meta__item"> 1794 Vulnerable module: 1795 1796 git/git-man 1797 </li> 1798 1799 <li class="card__meta__item">Introduced through: 1800 1801 1802 docker-image|quay.io/argoproj/argocd@latest, git@1:2.48.1-0ubuntu1.1 and others 1803 </li> 1804 </ul> 1805 1806 <hr/> 1807 1808 1809 <h3 class="card__section__title">Detailed paths</h3> 1810 1811 <ul class="card__meta__paths"> 1812 <li> 1813 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1814 docker-image|quay.io/argoproj/argocd@latest 1815 <span class="list-paths__item__arrow">›</span> 1816 git@1:2.48.1-0ubuntu1.1 1817 <span class="list-paths__item__arrow">›</span> 1818 git/git-man@1:2.48.1-0ubuntu1.1 1819 1820 </span> 1821 1822 </li> 1823 <li> 1824 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1825 docker-image|quay.io/argoproj/argocd@latest 1826 <span class="list-paths__item__arrow">›</span> 1827 git@1:2.48.1-0ubuntu1.1 1828 1829 </span> 1830 1831 </li> 1832 <li> 1833 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1834 docker-image|quay.io/argoproj/argocd@latest 1835 <span class="list-paths__item__arrow">›</span> 1836 git-lfs@3.6.1-1 1837 <span class="list-paths__item__arrow">›</span> 1838 git@1:2.48.1-0ubuntu1.1 1839 1840 </span> 1841 1842 </li> 1843 </ul><!-- .list-paths --> 1844 1845 </div><!-- .card__section --> 1846 1847 <hr/> 1848 <!-- Overview --> 1849 <h2 id="nvd-description">NVD Description</h2> 1850 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>git</code> package and not the <code>git</code> package as distributed by <code>Ubuntu</code>.</em> 1851 <em>See <code>How to fix?</code> for <code>Ubuntu:25.04</code> relevant fixed versions and status.</em></p> 1852 <p>Git is a source code management tool. When cloning from a server (or fetching, or pushing), informational or error messages are transported from the remote Git process to the client via the so-called "sideband channel". These messages will be prefixed with "remote:" and printed directly to the standard error output. Typically, this standard error output is connected to a terminal that understands ANSI escape sequences, which Git did not protect against. Most modern terminals support control sequences that can be used by a malicious actor to hide and misrepresent information, or to mislead the user into executing untrusted scripts. As requested on the git-security mailing list, the patches are under discussion on the public mailing list. Users are advised to update as soon as possible. Users unable to upgrade should avoid recursive clones unless they are from trusted sources.</p> 1853 <h2 id="remediation">Remediation</h2> 1854 <p>There is no fixed version for <code>Ubuntu:25.04</code> <code>git</code>.</p> 1855 <h2 id="references">References</h2> 1856 <ul> 1857 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-52005">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-52005</a></li> 1858 <li><a href="https://github.com/git/git/security/advisories/GHSA-7jjc-gg6m-3329">https://github.com/git/git/security/advisories/GHSA-7jjc-gg6m-3329</a></li> 1859 <li><a href="https://lore.kernel.org/git/1M9FnZ-1taoNo1wwh-00ESSd@mail.gmx.net">https://lore.kernel.org/git/1M9FnZ-1taoNo1wwh-00ESSd@mail.gmx.net</a></li> 1860 </ul> 1861 1862 <hr/> 1863 1864 <div class="cta card__cta"> 1865 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2504-GIT-9792199">More about this vulnerability</a></p> 1866 </div> 1867 1868 </div><!-- .card --> 1869 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 1870 <h2 class="card__title">CVE-2024-56433</h2> 1871 <div class="card__section"> 1872 1873 <div class="card__labels"> 1874 <div class="label label--low"> 1875 <span class="label__text">low severity</span> 1876 </div> 1877 </div> 1878 1879 <hr/> 1880 1881 <ul class="card__meta"> 1882 <li class="card__meta__item"> 1883 Manifest file: quay.io/argoproj/argocd:latest/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 1884 </li> 1885 <li class="card__meta__item"> 1886 Package Manager: ubuntu:25.04 1887 </li> 1888 <li class="card__meta__item"> 1889 Vulnerable module: 1890 1891 shadow/login.defs 1892 </li> 1893 1894 <li class="card__meta__item">Introduced through: 1895 1896 docker-image|quay.io/argoproj/argocd@latest and shadow/login.defs@1:4.16.0-7ubuntu1 1897 1898 </li> 1899 </ul> 1900 1901 <hr/> 1902 1903 1904 <h3 class="card__section__title">Detailed paths</h3> 1905 1906 <ul class="card__meta__paths"> 1907 <li> 1908 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1909 docker-image|quay.io/argoproj/argocd@latest 1910 <span class="list-paths__item__arrow">›</span> 1911 shadow/login.defs@1:4.16.0-7ubuntu1 1912 1913 </span> 1914 1915 </li> 1916 <li> 1917 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1918 docker-image|quay.io/argoproj/argocd@latest 1919 <span class="list-paths__item__arrow">›</span> 1920 util-linux/login@1:4.16.0-2+really2.40.2-14ubuntu1.1 1921 <span class="list-paths__item__arrow">›</span> 1922 shadow/login.defs@1:4.16.0-7ubuntu1 1923 1924 </span> 1925 1926 </li> 1927 <li> 1928 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1929 docker-image|quay.io/argoproj/argocd@latest 1930 <span class="list-paths__item__arrow">›</span> 1931 apt@3.0.0 1932 <span class="list-paths__item__arrow">›</span> 1933 adduser@3.137ubuntu2 1934 <span class="list-paths__item__arrow">›</span> 1935 shadow/passwd@1:4.16.0-7ubuntu1 1936 <span class="list-paths__item__arrow">›</span> 1937 shadow/login.defs@1:4.16.0-7ubuntu1 1938 1939 </span> 1940 1941 </li> 1942 <li> 1943 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1944 docker-image|quay.io/argoproj/argocd@latest 1945 <span class="list-paths__item__arrow">›</span> 1946 shadow/passwd@1:4.16.0-7ubuntu1 1947 1948 </span> 1949 1950 </li> 1951 <li> 1952 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1953 docker-image|quay.io/argoproj/argocd@latest 1954 <span class="list-paths__item__arrow">›</span> 1955 openssh/openssh-client@1:9.9p1-3ubuntu3.2 1956 <span class="list-paths__item__arrow">›</span> 1957 shadow/passwd@1:4.16.0-7ubuntu1 1958 1959 </span> 1960 1961 </li> 1962 <li> 1963 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1964 docker-image|quay.io/argoproj/argocd@latest 1965 <span class="list-paths__item__arrow">›</span> 1966 apt@3.0.0 1967 <span class="list-paths__item__arrow">›</span> 1968 adduser@3.137ubuntu2 1969 <span class="list-paths__item__arrow">›</span> 1970 shadow/passwd@1:4.16.0-7ubuntu1 1971 1972 </span> 1973 1974 </li> 1975 </ul><!-- .list-paths --> 1976 1977 </div><!-- .card__section --> 1978 1979 <hr/> 1980 <!-- Overview --> 1981 <h2 id="nvd-description">NVD Description</h2> 1982 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>shadow</code> package and not the <code>shadow</code> package as distributed by <code>Ubuntu</code>.</em> 1983 <em>See <code>How to fix?</code> for <code>Ubuntu:25.04</code> relevant fixed versions and status.</em></p> 1984 <p>shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid.</p> 1985 <h2 id="remediation">Remediation</h2> 1986 <p>There is no fixed version for <code>Ubuntu:25.04</code> <code>shadow</code>.</p> 1987 <h2 id="references">References</h2> 1988 <ul> 1989 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-56433">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-56433</a></li> 1990 <li><a href="https://github.com/shadow-maint/shadow/blob/e2512d5741d4a44bdd81a8c2d0029b6222728cf0/etc/login.defs#L238-L241">https://github.com/shadow-maint/shadow/blob/e2512d5741d4a44bdd81a8c2d0029b6222728cf0/etc/login.defs#L238-L241</a></li> 1991 <li><a href="https://github.com/shadow-maint/shadow/issues/1157">https://github.com/shadow-maint/shadow/issues/1157</a></li> 1992 <li><a href="https://github.com/shadow-maint/shadow/releases/tag/4.4">https://github.com/shadow-maint/shadow/releases/tag/4.4</a></li> 1993 </ul> 1994 1995 <hr/> 1996 1997 <div class="cta card__cta"> 1998 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2504-SHADOW-9791968">More about this vulnerability</a></p> 1999 </div> 2000 2001 </div><!-- .card --> 2002 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 2003 <h2 class="card__title">Double Free</h2> 2004 <div class="card__section"> 2005 2006 <div class="card__labels"> 2007 <div class="label label--low"> 2008 <span class="label__text">low severity</span> 2009 </div> 2010 </div> 2011 2012 <hr/> 2013 2014 <ul class="card__meta"> 2015 <li class="card__meta__item"> 2016 Manifest file: quay.io/argoproj/argocd:latest/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 2017 </li> 2018 <li class="card__meta__item"> 2019 Package Manager: ubuntu:25.04 2020 </li> 2021 <li class="card__meta__item"> 2022 Vulnerable module: 2023 2024 patch 2025 </li> 2026 2027 <li class="card__meta__item">Introduced through: 2028 2029 docker-image|quay.io/argoproj/argocd@latest and patch@2.7.6-7build3 2030 2031 </li> 2032 </ul> 2033 2034 <hr/> 2035 2036 2037 <h3 class="card__section__title">Detailed paths</h3> 2038 2039 <ul class="card__meta__paths"> 2040 <li> 2041 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2042 docker-image|quay.io/argoproj/argocd@latest 2043 <span class="list-paths__item__arrow">›</span> 2044 patch@2.7.6-7build3 2045 2046 </span> 2047 2048 </li> 2049 </ul><!-- .list-paths --> 2050 2051 </div><!-- .card__section --> 2052 2053 <hr/> 2054 <!-- Overview --> 2055 <h2 id="nvd-description">NVD Description</h2> 2056 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>patch</code> package and not the <code>patch</code> package as distributed by <code>Ubuntu</code>.</em> 2057 <em>See <code>How to fix?</code> for <code>Ubuntu:25.04</code> relevant fixed versions and status.</em></p> 2058 <p>A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6.</p> 2059 <h2 id="remediation">Remediation</h2> 2060 <p>There is no fixed version for <code>Ubuntu:25.04</code> <code>patch</code>.</p> 2061 <h2 id="references">References</h2> 2062 <ul> 2063 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-6952">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-6952</a></li> 2064 <li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6952">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6952</a></li> 2065 <li><a href="https://security-tracker.debian.org/tracker/CVE-2018-6952">https://security-tracker.debian.org/tracker/CVE-2018-6952</a></li> 2066 <li><a href="https://security.gentoo.org/glsa/201904-17">https://security.gentoo.org/glsa/201904-17</a></li> 2067 <li><a href="https://savannah.gnu.org/bugs/index.php?53133">https://savannah.gnu.org/bugs/index.php?53133</a></li> 2068 <li><a href="https://access.redhat.com/errata/RHSA-2019:2033">https://access.redhat.com/errata/RHSA-2019:2033</a></li> 2069 <li><a href="http://www.securityfocus.com/bid/103047">http://www.securityfocus.com/bid/103047</a></li> 2070 </ul> 2071 2072 <hr/> 2073 2074 <div class="cta card__cta"> 2075 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2504-PATCH-9814413">More about this vulnerability</a></p> 2076 </div> 2077 2078 </div><!-- .card --> 2079 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 2080 <h2 class="card__title">Release of Invalid Pointer or Reference</h2> 2081 <div class="card__section"> 2082 2083 <div class="card__labels"> 2084 <div class="label label--low"> 2085 <span class="label__text">low severity</span> 2086 </div> 2087 </div> 2088 2089 <hr/> 2090 2091 <ul class="card__meta"> 2092 <li class="card__meta__item"> 2093 Manifest file: quay.io/argoproj/argocd:latest/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 2094 </li> 2095 <li class="card__meta__item"> 2096 Package Manager: ubuntu:25.04 2097 </li> 2098 <li class="card__meta__item"> 2099 Vulnerable module: 2100 2101 patch 2102 </li> 2103 2104 <li class="card__meta__item">Introduced through: 2105 2106 docker-image|quay.io/argoproj/argocd@latest and patch@2.7.6-7build3 2107 2108 </li> 2109 </ul> 2110 2111 <hr/> 2112 2113 2114 <h3 class="card__section__title">Detailed paths</h3> 2115 2116 <ul class="card__meta__paths"> 2117 <li> 2118 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2119 docker-image|quay.io/argoproj/argocd@latest 2120 <span class="list-paths__item__arrow">›</span> 2121 patch@2.7.6-7build3 2122 2123 </span> 2124 2125 </li> 2126 </ul><!-- .list-paths --> 2127 2128 </div><!-- .card__section --> 2129 2130 <hr/> 2131 <!-- Overview --> 2132 <h2 id="nvd-description">NVD Description</h2> 2133 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>patch</code> package and not the <code>patch</code> package as distributed by <code>Ubuntu</code>.</em> 2134 <em>See <code>How to fix?</code> for <code>Ubuntu:25.04</code> relevant fixed versions and status.</em></p> 2135 <p>An Invalid Pointer vulnerability exists in GNU patch 2.7 via the another_hunk function, which causes a Denial of Service.</p> 2136 <h2 id="remediation">Remediation</h2> 2137 <p>There is no fixed version for <code>Ubuntu:25.04</code> <code>patch</code>.</p> 2138 <h2 id="references">References</h2> 2139 <ul> 2140 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-45261">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-45261</a></li> 2141 <li><a href="https://savannah.gnu.org/bugs/?61685">https://savannah.gnu.org/bugs/?61685</a></li> 2142 </ul> 2143 2144 <hr/> 2145 2146 <div class="cta card__cta"> 2147 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2504-PATCH-9821808">More about this vulnerability</a></p> 2148 </div> 2149 2150 </div><!-- .card --> 2151 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 2152 <h2 class="card__title">Information Exposure</h2> 2153 <div class="card__section"> 2154 2155 <div class="card__labels"> 2156 <div class="label label--low"> 2157 <span class="label__text">low severity</span> 2158 </div> 2159 </div> 2160 2161 <hr/> 2162 2163 <ul class="card__meta"> 2164 <li class="card__meta__item"> 2165 Manifest file: quay.io/argoproj/argocd:latest/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 2166 </li> 2167 <li class="card__meta__item"> 2168 Package Manager: ubuntu:25.04 2169 </li> 2170 <li class="card__meta__item"> 2171 Vulnerable module: 2172 2173 libgcrypt20 2174 </li> 2175 2176 <li class="card__meta__item">Introduced through: 2177 2178 docker-image|quay.io/argoproj/argocd@latest and libgcrypt20@1.11.0-6ubuntu1 2179 2180 </li> 2181 </ul> 2182 2183 <hr/> 2184 2185 2186 <h3 class="card__section__title">Detailed paths</h3> 2187 2188 <ul class="card__meta__paths"> 2189 <li> 2190 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2191 docker-image|quay.io/argoproj/argocd@latest 2192 <span class="list-paths__item__arrow">›</span> 2193 libgcrypt20@1.11.0-6ubuntu1 2194 2195 </span> 2196 2197 </li> 2198 <li> 2199 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2200 docker-image|quay.io/argoproj/argocd@latest 2201 <span class="list-paths__item__arrow">›</span> 2202 gnupg2/dirmngr@2.4.4-2ubuntu23.1 2203 <span class="list-paths__item__arrow">›</span> 2204 libgcrypt20@1.11.0-6ubuntu1 2205 2206 </span> 2207 2208 </li> 2209 <li> 2210 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2211 docker-image|quay.io/argoproj/argocd@latest 2212 <span class="list-paths__item__arrow">›</span> 2213 gnupg2/gpg@2.4.4-2ubuntu23.1 2214 <span class="list-paths__item__arrow">›</span> 2215 libgcrypt20@1.11.0-6ubuntu1 2216 2217 </span> 2218 2219 </li> 2220 <li> 2221 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2222 docker-image|quay.io/argoproj/argocd@latest 2223 <span class="list-paths__item__arrow">›</span> 2224 gnupg2/gpg-agent@2.4.4-2ubuntu23.1 2225 <span class="list-paths__item__arrow">›</span> 2226 libgcrypt20@1.11.0-6ubuntu1 2227 2228 </span> 2229 2230 </li> 2231 <li> 2232 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2233 docker-image|quay.io/argoproj/argocd@latest 2234 <span class="list-paths__item__arrow">›</span> 2235 apt@3.0.0 2236 <span class="list-paths__item__arrow">›</span> 2237 gnupg2/gpgv@2.4.4-2ubuntu23.1 2238 <span class="list-paths__item__arrow">›</span> 2239 libgcrypt20@1.11.0-6ubuntu1 2240 2241 </span> 2242 2243 </li> 2244 <li> 2245 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2246 docker-image|quay.io/argoproj/argocd@latest 2247 <span class="list-paths__item__arrow">›</span> 2248 gnupg2/gpg@2.4.4-2ubuntu23.1 2249 <span class="list-paths__item__arrow">›</span> 2250 gnupg2/gpgconf@2.4.4-2ubuntu23.1 2251 <span class="list-paths__item__arrow">›</span> 2252 libgcrypt20@1.11.0-6ubuntu1 2253 2254 </span> 2255 2256 </li> 2257 </ul><!-- .list-paths --> 2258 2259 </div><!-- .card__section --> 2260 2261 <hr/> 2262 <!-- Overview --> 2263 <h2 id="nvd-description">NVD Description</h2> 2264 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>libgcrypt20</code> package and not the <code>libgcrypt20</code> package as distributed by <code>Ubuntu</code>.</em> 2265 <em>See <code>How to fix?</code> for <code>Ubuntu:25.04</code> relevant fixed versions and status.</em></p> 2266 <p>A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.</p> 2267 <h2 id="remediation">Remediation</h2> 2268 <p>There is no fixed version for <code>Ubuntu:25.04</code> <code>libgcrypt20</code>.</p> 2269 <h2 id="references">References</h2> 2270 <ul> 2271 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-2236">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-2236</a></li> 2272 <li><a href="https://access.redhat.com/errata/RHSA-2024:9404">https://access.redhat.com/errata/RHSA-2024:9404</a></li> 2273 <li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=2268268">https://bugzilla.redhat.com/show_bug.cgi?id=2268268</a></li> 2274 <li><a href="https://access.redhat.com/errata/RHSA-2025:3534">https://access.redhat.com/errata/RHSA-2025:3534</a></li> 2275 <li><a href="https://access.redhat.com/errata/RHSA-2025:3530">https://access.redhat.com/errata/RHSA-2025:3530</a></li> 2276 <li><a href="https://access.redhat.com/security/cve/CVE-2024-2236">https://access.redhat.com/security/cve/CVE-2024-2236</a></li> 2277 <li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=2245218">https://bugzilla.redhat.com/show_bug.cgi?id=2245218</a></li> 2278 </ul> 2279 2280 <hr/> 2281 2282 <div class="cta card__cta"> 2283 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2504-LIBGCRYPT20-9794004">More about this vulnerability</a></p> 2284 </div> 2285 2286 </div><!-- .card --> 2287 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 2288 <h2 class="card__title">Out-of-bounds Write</h2> 2289 <div class="card__section"> 2290 2291 <div class="card__labels"> 2292 <div class="label label--low"> 2293 <span class="label__text">low severity</span> 2294 </div> 2295 </div> 2296 2297 <hr/> 2298 2299 <ul class="card__meta"> 2300 <li class="card__meta__item"> 2301 Manifest file: quay.io/argoproj/argocd:latest/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 2302 </li> 2303 <li class="card__meta__item"> 2304 Package Manager: ubuntu:25.04 2305 </li> 2306 <li class="card__meta__item"> 2307 Vulnerable module: 2308 2309 gnupg2/gpgv 2310 </li> 2311 2312 <li class="card__meta__item">Introduced through: 2313 2314 docker-image|quay.io/argoproj/argocd@latest and gnupg2/gpgv@2.4.4-2ubuntu23.1 2315 2316 </li> 2317 </ul> 2318 2319 <hr/> 2320 2321 2322 <h3 class="card__section__title">Detailed paths</h3> 2323 2324 <ul class="card__meta__paths"> 2325 <li> 2326 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2327 docker-image|quay.io/argoproj/argocd@latest 2328 <span class="list-paths__item__arrow">›</span> 2329 gnupg2/gpgv@2.4.4-2ubuntu23.1 2330 2331 </span> 2332 2333 </li> 2334 <li> 2335 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2336 docker-image|quay.io/argoproj/argocd@latest 2337 <span class="list-paths__item__arrow">›</span> 2338 apt@3.0.0 2339 <span class="list-paths__item__arrow">›</span> 2340 gnupg2/gpgv@2.4.4-2ubuntu23.1 2341 2342 </span> 2343 2344 </li> 2345 <li> 2346 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2347 docker-image|quay.io/argoproj/argocd@latest 2348 <span class="list-paths__item__arrow">›</span> 2349 gnupg2/dirmngr@2.4.4-2ubuntu23.1 2350 <span class="list-paths__item__arrow">›</span> 2351 gnupg2/gpgconf@2.4.4-2ubuntu23.1 2352 2353 </span> 2354 2355 </li> 2356 <li> 2357 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2358 docker-image|quay.io/argoproj/argocd@latest 2359 <span class="list-paths__item__arrow">›</span> 2360 gnupg2/gpg-agent@2.4.4-2ubuntu23.1 2361 <span class="list-paths__item__arrow">›</span> 2362 gnupg2/gpgconf@2.4.4-2ubuntu23.1 2363 2364 </span> 2365 2366 </li> 2367 <li> 2368 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2369 docker-image|quay.io/argoproj/argocd@latest 2370 <span class="list-paths__item__arrow">›</span> 2371 gnupg2/gpg@2.4.4-2ubuntu23.1 2372 <span class="list-paths__item__arrow">›</span> 2373 gnupg2/gpgconf@2.4.4-2ubuntu23.1 2374 2375 </span> 2376 2377 </li> 2378 <li> 2379 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2380 docker-image|quay.io/argoproj/argocd@latest 2381 <span class="list-paths__item__arrow">›</span> 2382 gnupg2/dirmngr@2.4.4-2ubuntu23.1 2383 2384 </span> 2385 2386 </li> 2387 <li> 2388 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2389 docker-image|quay.io/argoproj/argocd@latest 2390 <span class="list-paths__item__arrow">›</span> 2391 gnupg2/gpg@2.4.4-2ubuntu23.1 2392 2393 </span> 2394 2395 </li> 2396 <li> 2397 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2398 docker-image|quay.io/argoproj/argocd@latest 2399 <span class="list-paths__item__arrow">›</span> 2400 gnupg2/gpg-agent@2.4.4-2ubuntu23.1 2401 2402 </span> 2403 2404 </li> 2405 </ul><!-- .list-paths --> 2406 2407 </div><!-- .card__section --> 2408 2409 <hr/> 2410 <!-- Overview --> 2411 <h2 id="nvd-description">NVD Description</h2> 2412 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>gnupg2</code> package and not the <code>gnupg2</code> package as distributed by <code>Ubuntu</code>.</em> 2413 <em>See <code>How to fix?</code> for <code>Ubuntu:25.04</code> relevant fixed versions and status.</em></p> 2414 <p>GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.</p> 2415 <h2 id="remediation">Remediation</h2> 2416 <p>There is no fixed version for <code>Ubuntu:25.04</code> <code>gnupg2</code>.</p> 2417 <h2 id="references">References</h2> 2418 <ul> 2419 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-3219">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-3219</a></li> 2420 <li><a href="https://access.redhat.com/security/cve/CVE-2022-3219">https://access.redhat.com/security/cve/CVE-2022-3219</a></li> 2421 <li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=2127010">https://bugzilla.redhat.com/show_bug.cgi?id=2127010</a></li> 2422 <li><a href="https://dev.gnupg.org/D556">https://dev.gnupg.org/D556</a></li> 2423 <li><a href="https://dev.gnupg.org/T5993">https://dev.gnupg.org/T5993</a></li> 2424 <li><a href="https://marc.info/?l=oss-security&m=165696590211434&w=4">https://marc.info/?l=oss-security&m=165696590211434&w=4</a></li> 2425 <li><a href="https://security.netapp.com/advisory/ntap-20230324-0001/">https://security.netapp.com/advisory/ntap-20230324-0001/</a></li> 2426 </ul> 2427 2428 <hr/> 2429 2430 <div class="cta card__cta"> 2431 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2504-GNUPG2-9801283">More about this vulnerability</a></p> 2432 </div> 2433 2434 </div><!-- .card --> 2435 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 2436 <h2 class="card__title">Allocation of Resources Without Limits or Throttling</h2> 2437 <div class="card__section"> 2438 2439 <div class="card__labels"> 2440 <div class="label label--low"> 2441 <span class="label__text">low severity</span> 2442 </div> 2443 </div> 2444 2445 <hr/> 2446 2447 <ul class="card__meta"> 2448 <li class="card__meta__item"> 2449 Manifest file: quay.io/argoproj/argocd:latest/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 2450 </li> 2451 <li class="card__meta__item"> 2452 Package Manager: ubuntu:25.04 2453 </li> 2454 <li class="card__meta__item"> 2455 Vulnerable module: 2456 2457 glibc/libc-bin 2458 </li> 2459 2460 <li class="card__meta__item">Introduced through: 2461 2462 docker-image|quay.io/argoproj/argocd@latest and glibc/libc-bin@2.41-6ubuntu1.1 2463 2464 </li> 2465 </ul> 2466 2467 <hr/> 2468 2469 2470 <h3 class="card__section__title">Detailed paths</h3> 2471 2472 <ul class="card__meta__paths"> 2473 <li> 2474 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2475 docker-image|quay.io/argoproj/argocd@latest 2476 <span class="list-paths__item__arrow">›</span> 2477 glibc/libc-bin@2.41-6ubuntu1.1 2478 2479 </span> 2480 2481 </li> 2482 <li> 2483 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2484 docker-image|quay.io/argoproj/argocd@latest 2485 <span class="list-paths__item__arrow">›</span> 2486 glibc/libc6@2.41-6ubuntu1.1 2487 2488 </span> 2489 2490 </li> 2491 </ul><!-- .list-paths --> 2492 2493 </div><!-- .card__section --> 2494 2495 <hr/> 2496 <!-- Overview --> 2497 <h2 id="nvd-description">NVD Description</h2> 2498 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>glibc</code> package and not the <code>glibc</code> package as distributed by <code>Ubuntu</code>.</em> 2499 <em>See <code>How to fix?</code> for <code>Ubuntu:25.04</code> relevant fixed versions and status.</em></p> 2500 <p>sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.</p> 2501 <h2 id="remediation">Remediation</h2> 2502 <p>There is no fixed version for <code>Ubuntu:25.04</code> <code>glibc</code>.</p> 2503 <h2 id="references">References</h2> 2504 <ul> 2505 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-20013">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-20013</a></li> 2506 <li><a href="https://akkadia.org/drepper/SHA-crypt.txt">https://akkadia.org/drepper/SHA-crypt.txt</a></li> 2507 <li><a href="https://pthree.org/2018/05/23/do-not-use-sha256crypt-sha512crypt-theyre-dangerous/">https://pthree.org/2018/05/23/do-not-use-sha256crypt-sha512crypt-theyre-dangerous/</a></li> 2508 <li><a href="https://twitter.com/solardiz/status/795601240151457793">https://twitter.com/solardiz/status/795601240151457793</a></li> 2509 </ul> 2510 2511 <hr/> 2512 2513 <div class="cta card__cta"> 2514 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2504-GLIBC-9828016">More about this vulnerability</a></p> 2515 </div> 2516 2517 </div><!-- .card --> 2518 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 2519 <h2 class="card__title">CVE-2025-9086</h2> 2520 <div class="card__section"> 2521 2522 <div class="card__labels"> 2523 <div class="label label--low"> 2524 <span class="label__text">low severity</span> 2525 </div> 2526 </div> 2527 2528 <hr/> 2529 2530 <ul class="card__meta"> 2531 <li class="card__meta__item"> 2532 Manifest file: quay.io/argoproj/argocd:latest/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 2533 </li> 2534 <li class="card__meta__item"> 2535 Package Manager: ubuntu:25.04 2536 </li> 2537 <li class="card__meta__item"> 2538 Vulnerable module: 2539 2540 curl/libcurl3t64-gnutls 2541 </li> 2542 2543 <li class="card__meta__item">Introduced through: 2544 2545 2546 docker-image|quay.io/argoproj/argocd@latest, git@1:2.48.1-0ubuntu1.1 and others 2547 </li> 2548 </ul> 2549 2550 <hr/> 2551 2552 2553 <h3 class="card__section__title">Detailed paths</h3> 2554 2555 <ul class="card__meta__paths"> 2556 <li> 2557 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2558 docker-image|quay.io/argoproj/argocd@latest 2559 <span class="list-paths__item__arrow">›</span> 2560 git@1:2.48.1-0ubuntu1.1 2561 <span class="list-paths__item__arrow">›</span> 2562 curl/libcurl3t64-gnutls@8.12.1-3ubuntu1 2563 2564 </span> 2565 2566 </li> 2567 </ul><!-- .list-paths --> 2568 2569 </div><!-- .card__section --> 2570 2571 <hr/> 2572 <!-- Overview --> 2573 <h2 id="nvd-description">NVD Description</h2> 2574 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>curl</code> package and not the <code>curl</code> package as distributed by <code>Ubuntu</code>.</em> 2575 <em>See <code>How to fix?</code> for <code>Ubuntu:25.04</code> relevant fixed versions and status.</em></p> 2576 <ol> 2577 <li>A cookie is set using the <code>secure</code> keyword for <code>https://target</code></li> 2578 <li>curl is redirected to or otherwise made to speak with <code>http://target</code> (same 2579 hostname, but using clear text HTTP) using the same cookie set</li> 2580 <li>The same cookie name is set - but with just a slash as path (<code>path=&#39;/&#39;</code>). 2581 Since this site is not secure, the cookie <em>should</em> just be ignored.</li> 2582 <li>A bug in the path comparison logic makes curl read outside a heap buffer 2583 boundary</li> 2584 </ol> 2585 <p>The bug either causes a crash or it potentially makes the comparison come to 2586 the wrong conclusion and lets the clear-text site override the contents of the 2587 secure cookie, contrary to expectations and depending on the memory contents 2588 immediately following the single-byte allocation that holds the path.</p> 2589 <p>The presumed and correct behavior would be to plainly ignore the second set of 2590 the cookie since it was already set as secure on a secure host so overriding 2591 it on an insecure host should not be okay.</p> 2592 <h2 id="remediation">Remediation</h2> 2593 <p>There is no fixed version for <code>Ubuntu:25.04</code> <code>curl</code>.</p> 2594 <h2 id="references">References</h2> 2595 <ul> 2596 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-9086">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-9086</a></li> 2597 <li><a href="https://curl.se/docs/CVE-2025-9086.html">https://curl.se/docs/CVE-2025-9086.html</a></li> 2598 <li><a href="https://curl.se/docs/CVE-2025-9086.json">https://curl.se/docs/CVE-2025-9086.json</a></li> 2599 <li><a href="https://hackerone.com/reports/3294999">https://hackerone.com/reports/3294999</a></li> 2600 </ul> 2601 2602 <hr/> 2603 2604 <div class="cta card__cta"> 2605 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2504-CURL-12613445">More about this vulnerability</a></p> 2606 </div> 2607 2608 </div><!-- .card --> 2609 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 2610 <h2 class="card__title">CVE-2025-10148</h2> 2611 <div class="card__section"> 2612 2613 <div class="card__labels"> 2614 <div class="label label--low"> 2615 <span class="label__text">low severity</span> 2616 </div> 2617 </div> 2618 2619 <hr/> 2620 2621 <ul class="card__meta"> 2622 <li class="card__meta__item"> 2623 Manifest file: quay.io/argoproj/argocd:latest/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 2624 </li> 2625 <li class="card__meta__item"> 2626 Package Manager: ubuntu:25.04 2627 </li> 2628 <li class="card__meta__item"> 2629 Vulnerable module: 2630 2631 curl/libcurl3t64-gnutls 2632 </li> 2633 2634 <li class="card__meta__item">Introduced through: 2635 2636 2637 docker-image|quay.io/argoproj/argocd@latest, git@1:2.48.1-0ubuntu1.1 and others 2638 </li> 2639 </ul> 2640 2641 <hr/> 2642 2643 2644 <h3 class="card__section__title">Detailed paths</h3> 2645 2646 <ul class="card__meta__paths"> 2647 <li> 2648 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2649 docker-image|quay.io/argoproj/argocd@latest 2650 <span class="list-paths__item__arrow">›</span> 2651 git@1:2.48.1-0ubuntu1.1 2652 <span class="list-paths__item__arrow">›</span> 2653 curl/libcurl3t64-gnutls@8.12.1-3ubuntu1 2654 2655 </span> 2656 2657 </li> 2658 </ul><!-- .list-paths --> 2659 2660 </div><!-- .card__section --> 2661 2662 <hr/> 2663 <!-- Overview --> 2664 <h2 id="nvd-description">NVD Description</h2> 2665 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>curl</code> package and not the <code>curl</code> package as distributed by <code>Ubuntu</code>.</em> 2666 <em>See <code>How to fix?</code> for <code>Ubuntu:25.04</code> relevant fixed versions and status.</em></p> 2667 <p>curl's websocket code did not update the 32 bit mask pattern for each new 2668 outgoing frame as the specification says. Instead it used a fixed mask that 2669 persisted and was used throughout the entire connection.</p> 2670 <p>A predictable mask pattern allows for a malicious server to induce traffic 2671 between the two communicating parties that could be interpreted by an involved 2672 proxy (configured or transparent) as genuine, real, HTTP traffic with content 2673 and thereby poison its cache. That cached poisoned content could then be 2674 served to all users of that proxy.</p> 2675 <h2 id="remediation">Remediation</h2> 2676 <p>There is no fixed version for <code>Ubuntu:25.04</code> <code>curl</code>.</p> 2677 <h2 id="references">References</h2> 2678 <ul> 2679 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-10148">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-10148</a></li> 2680 <li><a href="https://curl.se/docs/CVE-2025-10148.html">https://curl.se/docs/CVE-2025-10148.html</a></li> 2681 <li><a href="https://curl.se/docs/CVE-2025-10148.json">https://curl.se/docs/CVE-2025-10148.json</a></li> 2682 <li><a href="https://hackerone.com/reports/3330839">https://hackerone.com/reports/3330839</a></li> 2683 </ul> 2684 2685 <hr/> 2686 2687 <div class="cta card__cta"> 2688 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2504-CURL-12613508">More about this vulnerability</a></p> 2689 </div> 2690 2691 </div><!-- .card --> 2692 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 2693 <h2 class="card__title">Improper Input Validation</h2> 2694 <div class="card__section"> 2695 2696 <div class="card__labels"> 2697 <div class="label label--low"> 2698 <span class="label__text">low severity</span> 2699 </div> 2700 </div> 2701 2702 <hr/> 2703 2704 <ul class="card__meta"> 2705 <li class="card__meta__item"> 2706 Manifest file: quay.io/argoproj/argocd:latest/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 2707 </li> 2708 <li class="card__meta__item"> 2709 Package Manager: ubuntu:25.04 2710 </li> 2711 <li class="card__meta__item"> 2712 Vulnerable module: 2713 2714 coreutils 2715 </li> 2716 2717 <li class="card__meta__item">Introduced through: 2718 2719 docker-image|quay.io/argoproj/argocd@latest and coreutils@9.5-1ubuntu1.25.04.2 2720 2721 </li> 2722 </ul> 2723 2724 <hr/> 2725 2726 2727 <h3 class="card__section__title">Detailed paths</h3> 2728 2729 <ul class="card__meta__paths"> 2730 <li> 2731 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2732 docker-image|quay.io/argoproj/argocd@latest 2733 <span class="list-paths__item__arrow">›</span> 2734 coreutils@9.5-1ubuntu1.25.04.2 2735 2736 </span> 2737 2738 </li> 2739 </ul><!-- .list-paths --> 2740 2741 </div><!-- .card__section --> 2742 2743 <hr/> 2744 <!-- Overview --> 2745 <h2 id="nvd-description">NVD Description</h2> 2746 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>coreutils</code> package and not the <code>coreutils</code> package as distributed by <code>Ubuntu</code>.</em> 2747 <em>See <code>How to fix?</code> for <code>Ubuntu:25.04</code> relevant fixed versions and status.</em></p> 2748 <p>chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.</p> 2749 <h2 id="remediation">Remediation</h2> 2750 <p>There is no fixed version for <code>Ubuntu:25.04</code> <code>coreutils</code>.</p> 2751 <h2 id="references">References</h2> 2752 <ul> 2753 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-2781">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-2781</a></li> 2754 <li><a href="https://security-tracker.debian.org/tracker/CVE-2016-2781">https://security-tracker.debian.org/tracker/CVE-2016-2781</a></li> 2755 <li><a href="https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E">https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E</a></li> 2756 <li><a href="http://www.openwall.com/lists/oss-security/2016/02/28/2">http://www.openwall.com/lists/oss-security/2016/02/28/2</a></li> 2757 <li><a href="http://www.openwall.com/lists/oss-security/2016/02/28/3">http://www.openwall.com/lists/oss-security/2016/02/28/3</a></li> 2758 <li><a href="https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E">https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E</a></li> 2759 </ul> 2760 2761 <hr/> 2762 2763 <div class="cta card__cta"> 2764 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2504-COREUTILS-9827293">More about this vulnerability</a></p> 2765 </div> 2766 2767 </div><!-- .card --> 2768 </div><!-- cards --> 2769 </div> 2770 </main><!-- .layout-stacked__content --> 2771 </body> 2772 2773 </html>