github.com/argoproj/argo-cd/v3@v3.2.1/docs/snyk/v2.14.17/quay.io_argoproj_argocd_v2.14.17.html (about) 1 <!DOCTYPE html> 2 <html lang="en"> 3 4 <head> 5 <meta http-equiv="Content-type" content="text/html; charset=utf-8"> 6 <meta http-equiv="Content-Language" content="en-us"> 7 <meta name="viewport" content="width=device-width, initial-scale=1.0"> 8 <meta http-equiv="X-UA-Compatible" content="IE=edge"> 9 <title>Snyk test report</title> 10 <meta name="description" content="28 known vulnerabilities found in 86 vulnerable dependency paths."> 11 <base target="_blank"> 12 <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png" 13 sizes="194x194"> 14 <link rel="shortcut icon" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.ico"> 15 <style type="text/css"> 16 17 body { 18 -moz-font-feature-settings: "pnum"; 19 -webkit-font-feature-settings: "pnum"; 20 font-variant-numeric: proportional-nums; 21 display: flex; 22 flex-direction: column; 23 font-feature-settings: "pnum"; 24 font-size: 100%; 25 line-height: 1.5; 26 min-height: 100vh; 27 -webkit-text-size-adjust: 100%; 28 margin: 0; 29 padding: 0; 30 background-color: #F5F5F5; 31 font-family: 'Arial', 'Helvetica', Calibri, sans-serif; 32 } 33 34 h1, 35 h2, 36 h3, 37 h4, 38 h5, 39 h6 { 40 font-weight: 500; 41 } 42 43 a, 44 a:link, 45 a:visited { 46 border-bottom: 1px solid #4b45a9; 47 text-decoration: none; 48 color: #4b45a9; 49 } 50 51 a:hover, 52 a:focus, 53 a:active { 54 border-bottom: 1px solid #4b45a9; 55 } 56 57 hr { 58 border: none; 59 margin: 1em 0; 60 border-top: 1px solid #c5c5c5; 61 } 62 63 ul { 64 padding: 0 1em; 65 margin: 1em 0; 66 } 67 68 code { 69 background-color: #EEE; 70 color: #333; 71 padding: 0.25em 0.5em; 72 border-radius: 0.25em; 73 } 74 75 pre { 76 background-color: #333; 77 font-family: monospace; 78 padding: 0.5em 1em 0.75em; 79 border-radius: 0.25em; 80 font-size: 14px; 81 } 82 83 pre code { 84 padding: 0; 85 background-color: transparent; 86 color: #fff; 87 } 88 89 a code { 90 border-radius: .125rem .125rem 0 0; 91 padding-bottom: 0; 92 color: #4b45a9; 93 } 94 95 a[href^="http://"]:after, 96 a[href^="https://"]:after { 97 background-image: linear-gradient(transparent,transparent),url("data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%20112%20109%22%3E%3Cg%20id%3D%22Page-1%22%20fill%3D%22none%22%20fill-rule%3D%22evenodd%22%3E%3Cg%20id%3D%22link-external%22%3E%3Cg%20id%3D%22arrow%22%3E%3Cpath%20id%3D%22Line%22%20stroke%3D%22%234B45A9%22%20stroke-width%3D%2215%22%20d%3D%22M88.5%2021l-43%2042.5%22%20stroke-linecap%3D%22square%22%2F%3E%3Cpath%20id%3D%22Triangle%22%20fill%3D%22%234B45A9%22%20d%3D%22M111.2%200v50L61%200z%22%2F%3E%3C%2Fg%3E%3Cpath%20id%3D%22square%22%20fill%3D%22%234B45A9%22%20d%3D%22M66%2015H0v94h94V44L79%2059v35H15V30h36z%22%2F%3E%3C%2Fg%3E%3C%2Fg%3E%3C%2Fsvg%3E"); 98 background-repeat: no-repeat; 99 background-size: .75rem; 100 content: ""; 101 display: inline-block; 102 height: .75rem; 103 margin-left: .25rem; 104 width: .75rem; 105 } 106 107 108 /* Layout */ 109 110 [class*=layout-container] { 111 margin: 0 auto; 112 max-width: 71.25em; 113 padding: 1.9em 1.3em; 114 position: relative; 115 } 116 .layout-container--short { 117 padding-top: 0; 118 padding-bottom: 0; 119 max-width: 48.75em; 120 } 121 122 .layout-container--short:after { 123 display: block; 124 content: ""; 125 clear: both; 126 } 127 128 /* Header */ 129 130 .header { 131 padding-bottom: 1px; 132 } 133 134 .paths { 135 margin-left: 8px; 136 } 137 .header-wrap { 138 display: flex; 139 flex-direction: row; 140 justify-content: space-between; 141 padding-top: 2em; 142 } 143 .project__header { 144 background-color: #030328; 145 color: #fff; 146 margin-bottom: -1px; 147 padding-top: 1em; 148 padding-bottom: 0.25em; 149 border-bottom: 2px solid #BBB; 150 } 151 152 .project__header__title { 153 overflow-wrap: break-word; 154 word-wrap: break-word; 155 word-break: break-all; 156 margin-bottom: .1em; 157 margin-top: 0; 158 } 159 160 .timestamp { 161 float: right; 162 clear: none; 163 margin-bottom: 0; 164 } 165 166 .meta-counts { 167 clear: both; 168 display: block; 169 flex-wrap: wrap; 170 justify-content: space-between; 171 margin: 0 0 1.5em; 172 color: #fff; 173 clear: both; 174 font-size: 1.1em; 175 } 176 177 .meta-count { 178 display: block; 179 flex-basis: 100%; 180 margin: 0 1em 1em 0; 181 float: left; 182 padding-right: 1em; 183 border-right: 2px solid #fff; 184 } 185 186 .meta-count:last-child { 187 border-right: 0; 188 padding-right: 0; 189 margin-right: 0; 190 } 191 192 /* Card */ 193 194 .card { 195 background-color: #fff; 196 border: 1px solid #c5c5c5; 197 border-radius: .25rem; 198 margin: 0 0 2em 0; 199 position: relative; 200 min-height: 40px; 201 padding: 1.5em; 202 } 203 204 .card__labels { 205 position: absolute; 206 top: 1.1em; 207 left: 0; 208 display: flex; 209 align-items: center; 210 gap: 8px; 211 } 212 213 .card .label { 214 background-color: #767676; 215 border: 2px solid #767676; 216 color: white; 217 padding: 0.25rem 0.75rem; 218 font-size: 0.875rem; 219 text-transform: uppercase; 220 display: inline-block; 221 margin: 0; 222 border-radius: 0.25rem; 223 } 224 225 .card .label__text { 226 vertical-align: text-top; 227 font-weight: bold; 228 } 229 230 .card .label--critical { 231 background-color: #AB1A1A; 232 border-color: #AB1A1A; 233 } 234 235 .card .label--high { 236 background-color: #CE5019; 237 border-color: #CE5019; 238 } 239 240 .card .label--medium { 241 background-color: #D68000; 242 border-color: #D68000; 243 } 244 245 .card .label--low { 246 background-color: #88879E; 247 border-color: #88879E; 248 } 249 250 .severity--low { 251 border-color: #88879E; 252 } 253 254 .severity--medium { 255 border-color: #D68000; 256 } 257 258 .severity--high { 259 border-color: #CE5019; 260 } 261 262 .severity--critical { 263 border-color: #AB1A1A; 264 } 265 266 .card--vuln { 267 padding-top: 4em; 268 } 269 270 .card--vuln .card__labels > .label:first-child { 271 padding-left: 1.9em; 272 padding-right: 1.9em; 273 border-radius: 0 0.25rem 0.25rem 0; 274 } 275 276 .card--vuln .card__section h2 { 277 font-size: 22px; 278 margin-bottom: 0.5em; 279 } 280 281 .card--vuln .card__section p { 282 margin: 0 0 0.5em 0; 283 } 284 285 .card--vuln .card__meta { 286 padding: 0 0 0 1em; 287 margin: 0; 288 font-size: 1.1em; 289 } 290 291 .card .card__meta__paths { 292 font-size: 0.9em; 293 } 294 295 .card--vuln .card__title { 296 font-size: 28px; 297 margin-top: 0; 298 margin-right: 100px; /* Ensure space for the risk score */ 299 } 300 301 .card--vuln .card__cta p { 302 margin: 0; 303 text-align: right; 304 } 305 306 .risk-score-display { 307 position: absolute; 308 top: 1.5em; 309 right: 1.5em; 310 text-align: right; 311 z-index: 10; 312 } 313 314 .risk-score-display__label { 315 font-size: 0.7em; 316 font-weight: bold; 317 color: #586069; 318 text-transform: uppercase; 319 line-height: 1; 320 margin-bottom: 3px; 321 } 322 323 .risk-score-display__value { 324 font-size: 1.9em; 325 font-weight: 600; 326 color: #24292e; 327 line-height: 1; 328 } 329 330 .source-panel { 331 clear: both; 332 display: flex; 333 justify-content: flex-start; 334 flex-direction: column; 335 align-items: flex-start; 336 padding: 0.5em 0; 337 width: fit-content; 338 } 339 340 341 342 </style> 343 <style type="text/css"> 344 .metatable { 345 text-size-adjust: 100%; 346 -webkit-font-smoothing: antialiased; 347 -webkit-box-direction: normal; 348 color: inherit; 349 font-feature-settings: "pnum"; 350 box-sizing: border-box; 351 background: transparent; 352 border: 0; 353 font: inherit; 354 font-size: 100%; 355 margin: 0; 356 outline: none; 357 padding: 0; 358 text-align: left; 359 text-decoration: none; 360 vertical-align: baseline; 361 z-index: auto; 362 margin-top: 12px; 363 border-collapse: collapse; 364 border-spacing: 0; 365 font-variant-numeric: tabular-nums; 366 max-width: 51.75em; 367 } 368 369 tbody { 370 text-size-adjust: 100%; 371 -webkit-font-smoothing: antialiased; 372 -webkit-box-direction: normal; 373 color: inherit; 374 font-feature-settings: "pnum"; 375 border-collapse: collapse; 376 border-spacing: 0; 377 box-sizing: border-box; 378 background: transparent; 379 border: 0; 380 font: inherit; 381 font-size: 100%; 382 margin: 0; 383 outline: none; 384 padding: 0; 385 text-align: left; 386 text-decoration: none; 387 vertical-align: baseline; 388 z-index: auto; 389 display: flex; 390 flex-wrap: wrap; 391 } 392 393 .meta-row { 394 text-size-adjust: 100%; 395 -webkit-font-smoothing: antialiased; 396 -webkit-box-direction: normal; 397 color: inherit; 398 font-feature-settings: "pnum"; 399 border-collapse: collapse; 400 border-spacing: 0; 401 box-sizing: border-box; 402 background: transparent; 403 border: 0; 404 font: inherit; 405 font-size: 100%; 406 outline: none; 407 text-align: left; 408 text-decoration: none; 409 vertical-align: baseline; 410 z-index: auto; 411 display: flex; 412 align-items: start; 413 border-top: 1px solid #d3d3d9; 414 padding: 8px 0 0 0; 415 border-bottom: none; 416 margin: 8px; 417 width: 47.75%; 418 } 419 420 .meta-row-label { 421 text-size-adjust: 100%; 422 -webkit-font-smoothing: antialiased; 423 -webkit-box-direction: normal; 424 font-feature-settings: "pnum"; 425 border-collapse: collapse; 426 border-spacing: 0; 427 color: #4c4a73; 428 box-sizing: border-box; 429 background: transparent; 430 border: 0; 431 font: inherit; 432 margin: 0; 433 outline: none; 434 text-decoration: none; 435 z-index: auto; 436 align-self: start; 437 flex: 1; 438 font-size: 1rem; 439 line-height: 1.5rem; 440 padding: 0; 441 text-align: left; 442 vertical-align: top; 443 text-transform: none; 444 letter-spacing: 0; 445 } 446 447 .meta-row-value { 448 text-size-adjust: 100%; 449 -webkit-font-smoothing: antialiased; 450 -webkit-box-direction: normal; 451 color: inherit; 452 font-feature-settings: "pnum"; 453 border-collapse: collapse; 454 border-spacing: 0; 455 word-break: break-word; 456 box-sizing: border-box; 457 background: transparent; 458 border: 0; 459 font: inherit; 460 font-size: 100%; 461 margin: 0; 462 outline: none; 463 padding: 0; 464 text-align: right; 465 text-decoration: none; 466 vertical-align: baseline; 467 z-index: auto; 468 } 469 </style> 470 </head> 471 472 <body class="section-projects"> 473 <main class="layout-stacked"> 474 <div class="layout-stacked__header header"> 475 <header class="project__header"> 476 <div class="layout-container"> 477 <a class="brand" href="https://snyk.io" title="Snyk"> 478 <svg width="68px" height="35px" viewBox="0 0 68 35" version="1.1" xmlns="http://www.w3.org/2000/svg" role="img"> 479 <title>Snyk - Open Source Security</title> 480 <g stroke="none" stroke-width="1" fill="none" fill-rule="evenodd"> 481 <g fill="#fff"> 482 <path d="M5.732,27.278 C3.445,27.278 1.589,26.885 0,26.124 L0.483,22.472 C2.163,23.296 4.056,23.689 5.643,23.689 C6.801,23.689 7.563,23.295 7.563,22.599 C7.563,20.594 0.333,21.076 0.333,15.839 C0.333,12.491 3.407,10.729 7.259,10.729 C9.179,10.729 11.161,11.249 12.444,11.704 L11.924,15.294 C10.577,14.774 8.747,14.291 7.222,14.291 C6.282,14.291 5.518,14.621 5.518,15.231 C5.518,17.208 12.903,16.815 12.903,21.925 C12.903,25.325 9.877,27.277 5.733,27.277 L5.732,27.278 Z M25.726,26.936 L25.726,17.894 C25.726,15.827 24.811,14.85 23.069,14.85 C22.219,14.85 21.329,15.09 20.719,15.46 L20.719,26.936 L15.352,26.936 L15.352,11.262 L20.602,10.83 L20.474,13.392 L20.652,13.392 C21.784,11.87 23.702,10.716 25.992,10.716 C28.736,10.716 31.112,12.416 31.112,16.436 L31.112,26.936 L25.724,26.936 L25.726,26.936 Z M61.175,26.936 L56.879,19.479 L56.446,19.479 L56.446,26.935 L51.082,26.935 L51.082,8.37 L56.447,0 L56.447,17.323 C57.515,16.017 61.112,11.059 61.112,11.059 L67.732,11.059 L61.454,17.689 L67.949,26.95 L61.175,26.95 L61.175,26.938 L61.175,26.936 Z M44.13,11.11 L41.93,18.262 C41.5,19.606 41.08,22.079 41.08,22.079 C41.08,22.079 40.75,19.516 40.292,18.172 L37.94,11.108 L31.928,11.108 L38.462,26.935 C37.572,29.04 36.199,30.815 34.369,30.815 C34.039,30.815 33.709,30.802 33.389,30.765 L31.255,34.061 C31.928,34.441 33.212,34.835 34.737,34.835 C38.703,34.835 41.359,31.627 43.215,26.885 L49.443,11.108 L44.132,11.108 L44.13,11.11 Z"></path> 483 </g> 484 </g> 485 </svg> 486 </a> 487 <div class="header-wrap"> 488 <h1 class="project__header__title">Snyk test report</h1> 489 490 <p class="timestamp">September 14th 2025, 12:30:33 am (UTC+00:00)</p> 491 </div> 492 <div class="source-panel"> 493 <span>Scanned the following paths:</span> 494 <ul> 495 <li class="paths">quay.io/argoproj/argocd:v2.14.17/argoproj/argocd/Dockerfile (deb)</li> 496 <li class="paths">quay.io/argoproj/argocd:v2.14.17/argoproj/argo-cd/v2//usr/local/bin/argocd (gomodules)</li> 497 <li class="paths">quay.io/argoproj/argocd:v2.14.17//usr/local/bin/kustomize (gomodules)</li> 498 <li class="paths">quay.io/argoproj/argocd:v2.14.17/helm/v3//usr/local/bin/helm (gomodules)</li> 499 <li class="paths">quay.io/argoproj/argocd:v2.14.17/git-lfs/git-lfs//usr/bin/git-lfs (gomodules)</li> 500 </ul> 501 </div> 502 503 <div class="meta-counts"> 504 <div class="meta-count"><span>28</span> <span>known vulnerabilities</span></div> 505 <div class="meta-count"><span>86 vulnerable dependency paths</span></div> 506 <div class="meta-count"><span>2383</span> <span>dependencies</span></div> 507 </div><!-- .meta-counts --> 508 </div><!-- .layout-container--short --> 509 </header><!-- .project__header --> 510 </div><!-- .layout-stacked__header --> 511 512 <div class="layout-container" style="padding-top: 35px;"> 513 <div class="cards--vuln filter--patch filter--ignore"> 514 <div class="card card--vuln disclosure--not-new severity--high" data-snyk-test="high"> 515 <h2 class="card__title">Allocation of Resources Without Limits or Throttling</h2> 516 <div class="card__section"> 517 518 <div class="card__labels"> 519 <div class="label label--high"> 520 <span class="label__text">high severity</span> 521 </div> 522 </div> 523 524 <hr/> 525 526 <ul class="card__meta"> 527 <li class="card__meta__item"> 528 Manifest file: quay.io/argoproj/argocd:v2.14.17/argoproj/argo-cd/v2 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd 529 </li> 530 <li class="card__meta__item"> 531 Package Manager: golang 532 </li> 533 <li class="card__meta__item"> 534 Vulnerable module: 535 536 golang.org/x/oauth2/jws 537 </li> 538 539 <li class="card__meta__item">Introduced through: 540 541 github.com/argoproj/argo-cd/v2@* and golang.org/x/oauth2/jws@v0.24.0 542 543 </li> 544 </ul> 545 546 <hr/> 547 548 549 <h3 class="card__section__title">Detailed paths</h3> 550 551 <ul class="card__meta__paths"> 552 <li> 553 <span class="list-paths__item__introduced"><em>Introduced through</em>: 554 github.com/argoproj/argo-cd/v2@* 555 <span class="list-paths__item__arrow">›</span> 556 golang.org/x/oauth2/jws@v0.24.0 557 558 </span> 559 560 </li> 561 </ul><!-- .list-paths --> 562 563 </div><!-- .card__section --> 564 565 <hr/> 566 <!-- Overview --> 567 <h2 id="overview">Overview</h2> 568 <p>Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to improper parsing of malformed tokens which can lead to memory consumption.</p> 569 <h2 id="remediation">Remediation</h2> 570 <p>Upgrade <code>golang.org/x/oauth2/jws</code> to version 0.27.0 or higher.</p> 571 <h2 id="references">References</h2> 572 <ul> 573 <li><a href="https://github.com/golang/oauth2/commit/681b4d8edca1bcfea5bce685d77ea7b82ed3e7b3">GitHub Commit</a></li> 574 <li><a href="https://github.com/lestrrat-go/jwx/commit/d0bb4610154d45b7dce7d706a8068ea72586d249">GitHub Commit</a></li> 575 <li><a href="https://github.com/golang/go/issues/71490">GitHub Issue</a></li> 576 <li><a href="https://github.com/lestrrat-go/jwx/pull/1308">GitHub PR</a></li> 577 <li><a href="https://pkg.go.dev/vuln/GO-2025-3488">Go Advisory</a></li> 578 </ul> 579 580 <hr/> 581 582 <div class="cta card__cta"> 583 <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXOAUTH2JWS-8749594">More about this vulnerability</a></p> 584 </div> 585 586 </div><!-- .card --> 587 <div class="card card--vuln disclosure--not-new severity--high" data-snyk-test="high"> 588 <h2 class="card__title">Denial of Service (DoS)</h2> 589 <div class="card__section"> 590 591 <div class="card__labels"> 592 <div class="label label--high"> 593 <span class="label__text">high severity</span> 594 </div> 595 </div> 596 597 <hr/> 598 599 <ul class="card__meta"> 600 <li class="card__meta__item"> 601 Manifest file: quay.io/argoproj/argocd:v2.14.17/helm/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/helm 602 </li> 603 <li class="card__meta__item"> 604 Package Manager: golang 605 </li> 606 <li class="card__meta__item"> 607 Vulnerable module: 608 609 golang.org/x/net/html 610 </li> 611 612 <li class="card__meta__item">Introduced through: 613 614 helm.sh/helm/v3@* and golang.org/x/net/html@v0.26.0 615 616 </li> 617 </ul> 618 619 <hr/> 620 621 622 <h3 class="card__section__title">Detailed paths</h3> 623 624 <ul class="card__meta__paths"> 625 <li> 626 <span class="list-paths__item__introduced"><em>Introduced through</em>: 627 helm.sh/helm/v3@* 628 <span class="list-paths__item__arrow">›</span> 629 golang.org/x/net/html@v0.26.0 630 631 </span> 632 633 </li> 634 </ul><!-- .list-paths --> 635 636 </div><!-- .card__section --> 637 638 <hr/> 639 <!-- Overview --> 640 <h2 id="overview">Overview</h2> 641 <p><a href="https://pkg.go.dev/golang.org/x/net/html">golang.org/x/net/html</a> is a package that implements an HTML5-compliant tokenizer and parser.</p> 642 <p>Affected versions of this package are vulnerable to Denial of Service (DoS) through the functions <code>parseDoctype</code>, <code>htmlIntegrationPoint</code>, <code>inBodyIM</code> and <code>inTableIM</code> due to inefficient usage of the method <code>strings.ToLower</code> combining with the <code>==</code> operator to convert strings to lowercase and then comparing them.</p> 643 <p>An attacker can cause the application to slow down significantly by crafting inputs that are processed non-linearly.</p> 644 <h2 id="details">Details</h2> 645 <p>Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.</p> 646 <p>Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.</p> 647 <p>One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.</p> 648 <p>When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.</p> 649 <p>Two common types of DoS vulnerabilities:</p> 650 <ul> 651 <li><p>High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, <a href="https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082">commons-fileupload:commons-fileupload</a>.</p> 652 </li> 653 <li><p>Crash - An attacker sending crafted requests that could cause the system to crash. For Example, <a href="https://snyk.io/vuln/npm:ws:20171108">npm <code>ws</code> package</a></p> 654 </li> 655 </ul> 656 <h2 id="remediation">Remediation</h2> 657 <p>Upgrade <code>golang.org/x/net/html</code> to version 0.33.0 or higher.</p> 658 <h2 id="references">References</h2> 659 <ul> 660 <li><a href="https://github.com/golang/net/commit/8e66b04771e35c4e4125e8c60334b34e2423effb">GitHub Commit</a></li> 661 <li><a href="https://github.com/golang/go/issues/70906">GitHub Issue</a></li> 662 <li><a href="https://groups.google.com/g/golang-announce/c/wSCRmFnNmPA/m/Lvcd0mRMAwAJ">Google Groups Forum</a></li> 663 </ul> 664 665 <hr/> 666 667 <div class="cta card__cta"> 668 <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTML-8535262">More about this vulnerability</a></p> 669 </div> 670 671 </div><!-- .card --> 672 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 673 <h2 class="card__title">Directory Traversal</h2> 674 <div class="card__section"> 675 676 <div class="card__labels"> 677 <div class="label label--medium"> 678 <span class="label__text">medium severity</span> 679 </div> 680 </div> 681 682 <hr/> 683 684 <ul class="card__meta"> 685 <li class="card__meta__item"> 686 Manifest file: quay.io/argoproj/argocd:v2.14.17/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 687 </li> 688 <li class="card__meta__item"> 689 Package Manager: ubuntu:24.04 690 </li> 691 <li class="card__meta__item"> 692 Vulnerable module: 693 694 tar 695 </li> 696 697 <li class="card__meta__item">Introduced through: 698 699 docker-image|quay.io/argoproj/argocd@v2.14.17 and tar@1.35+dfsg-3build1 700 701 </li> 702 </ul> 703 704 <hr/> 705 706 707 <h3 class="card__section__title">Detailed paths</h3> 708 709 <ul class="card__meta__paths"> 710 <li> 711 <span class="list-paths__item__introduced"><em>Introduced through</em>: 712 docker-image|quay.io/argoproj/argocd@v2.14.17 713 <span class="list-paths__item__arrow">›</span> 714 tar@1.35+dfsg-3build1 715 716 </span> 717 718 </li> 719 <li> 720 <span class="list-paths__item__introduced"><em>Introduced through</em>: 721 docker-image|quay.io/argoproj/argocd@v2.14.17 722 <span class="list-paths__item__arrow">›</span> 723 dash@0.5.12-6ubuntu5 724 <span class="list-paths__item__arrow">›</span> 725 dpkg@1.22.6ubuntu6.1 726 <span class="list-paths__item__arrow">›</span> 727 tar@1.35+dfsg-3build1 728 729 </span> 730 731 </li> 732 </ul><!-- .list-paths --> 733 734 </div><!-- .card__section --> 735 736 <hr/> 737 <!-- Overview --> 738 <h2 id="nvd-description">NVD Description</h2> 739 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>tar</code> package and not the <code>tar</code> package as distributed by <code>Ubuntu</code>.</em> 740 <em>See <code>How to fix?</code> for <code>Ubuntu:24.04</code> relevant fixed versions and status.</em></p> 741 <p>GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). NOTE: the official GNU Tar manual has an otherwise-empty directory for each "tar xf" in its Security Rules of Thumb; however, third-party advice leads users to run "tar xf" more than once into the same directory.</p> 742 <h2 id="remediation">Remediation</h2> 743 <p>There is no fixed version for <code>Ubuntu:24.04</code> <code>tar</code>.</p> 744 <h2 id="references">References</h2> 745 <ul> 746 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-45582">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-45582</a></li> 747 <li><a href="https://github.com/i900008/vulndb/blob/main/Gnu_tar_vuln.md">https://github.com/i900008/vulndb/blob/main/Gnu_tar_vuln.md</a></li> 748 <li><a href="https://www.gnu.org/software/tar/">https://www.gnu.org/software/tar/</a></li> 749 <li><a href="https://lists.gnu.org/archive/html/bug-tar/2025-08/msg00012.html">https://lists.gnu.org/archive/html/bug-tar/2025-08/msg00012.html</a></li> 750 <li><a href="https://www.gnu.org/software/tar/manual/html_node/Integrity.html">https://www.gnu.org/software/tar/manual/html_node/Integrity.html</a></li> 751 <li><a href="https://www.gnu.org/software/tar/manual/html_node/Security-rules-of-thumb.html">https://www.gnu.org/software/tar/manual/html_node/Security-rules-of-thumb.html</a></li> 752 </ul> 753 754 <hr/> 755 756 <div class="cta card__cta"> 757 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2404-TAR-10769052">More about this vulnerability</a></p> 758 </div> 759 760 </div><!-- .card --> 761 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 762 <h2 class="card__title">CVE-2025-7709</h2> 763 <div class="card__section"> 764 765 <div class="card__labels"> 766 <div class="label label--medium"> 767 <span class="label__text">medium severity</span> 768 </div> 769 </div> 770 771 <hr/> 772 773 <ul class="card__meta"> 774 <li class="card__meta__item"> 775 Manifest file: quay.io/argoproj/argocd:v2.14.17/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 776 </li> 777 <li class="card__meta__item"> 778 Package Manager: ubuntu:24.04 779 </li> 780 <li class="card__meta__item"> 781 Vulnerable module: 782 783 sqlite3/libsqlite3-0 784 </li> 785 786 <li class="card__meta__item">Introduced through: 787 788 789 docker-image|quay.io/argoproj/argocd@v2.14.17, gnupg2/gpg@2.4.4-2ubuntu17.3 and others 790 </li> 791 </ul> 792 793 <hr/> 794 795 796 <h3 class="card__section__title">Detailed paths</h3> 797 798 <ul class="card__meta__paths"> 799 <li> 800 <span class="list-paths__item__introduced"><em>Introduced through</em>: 801 docker-image|quay.io/argoproj/argocd@v2.14.17 802 <span class="list-paths__item__arrow">›</span> 803 gnupg2/gpg@2.4.4-2ubuntu17.3 804 <span class="list-paths__item__arrow">›</span> 805 sqlite3/libsqlite3-0@3.45.1-1ubuntu2.4 806 807 </span> 808 809 </li> 810 </ul><!-- .list-paths --> 811 812 </div><!-- .card__section --> 813 814 <hr/> 815 <!-- Overview --> 816 <h2 id="nvd-description">NVD Description</h2> 817 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>sqlite3</code> package and not the <code>sqlite3</code> package as distributed by <code>Ubuntu</code>.</em> 818 <em>See <code>How to fix?</code> for <code>Ubuntu:24.04</code> relevant fixed versions and status.</em></p> 819 <p>An integer overflow exists in the FTS5 <a href="https://sqlite.org/fts5.html">https://sqlite.org/fts5.html</a> extension. It occurs when the size of an array of tombstone pointers is calculated and truncated into a 32-bit integer. A pointer to partially controlled data can then be written out of bounds.</p> 820 <h2 id="remediation">Remediation</h2> 821 <p>There is no fixed version for <code>Ubuntu:24.04</code> <code>sqlite3</code>.</p> 822 <h2 id="references">References</h2> 823 <ul> 824 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-7709">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-7709</a></li> 825 <li><a href="https://github.com/google/security-research/security/advisories/GHSA-v2c8-vqqp-hv3g">https://github.com/google/security-research/security/advisories/GHSA-v2c8-vqqp-hv3g</a></li> 826 </ul> 827 828 <hr/> 829 830 <div class="cta card__cta"> 831 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2404-SQLITE3-12554290">More about this vulnerability</a></p> 832 </div> 833 834 </div><!-- .card --> 835 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 836 <h2 class="card__title">Insecure Storage of Sensitive Information</h2> 837 <div class="card__section"> 838 839 <div class="card__labels"> 840 <div class="label label--medium"> 841 <span class="label__text">medium severity</span> 842 </div> 843 </div> 844 845 <hr/> 846 847 <ul class="card__meta"> 848 <li class="card__meta__item"> 849 Manifest file: quay.io/argoproj/argocd:v2.14.17/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 850 </li> 851 <li class="card__meta__item"> 852 Package Manager: ubuntu:24.04 853 </li> 854 <li class="card__meta__item"> 855 Vulnerable module: 856 857 pam/libpam0g 858 </li> 859 860 <li class="card__meta__item">Introduced through: 861 862 docker-image|quay.io/argoproj/argocd@v2.14.17 and pam/libpam0g@1.5.3-5ubuntu5.4 863 864 </li> 865 </ul> 866 867 <hr/> 868 869 870 <h3 class="card__section__title">Detailed paths</h3> 871 872 <ul class="card__meta__paths"> 873 <li> 874 <span class="list-paths__item__introduced"><em>Introduced through</em>: 875 docker-image|quay.io/argoproj/argocd@v2.14.17 876 <span class="list-paths__item__arrow">›</span> 877 pam/libpam0g@1.5.3-5ubuntu5.4 878 879 </span> 880 881 </li> 882 <li> 883 <span class="list-paths__item__introduced"><em>Introduced through</em>: 884 docker-image|quay.io/argoproj/argocd@v2.14.17 885 <span class="list-paths__item__arrow">›</span> 886 shadow/login@1:4.13+dfsg1-4ubuntu3.2 887 <span class="list-paths__item__arrow">›</span> 888 pam/libpam0g@1.5.3-5ubuntu5.4 889 890 </span> 891 892 </li> 893 <li> 894 <span class="list-paths__item__introduced"><em>Introduced through</em>: 895 docker-image|quay.io/argoproj/argocd@v2.14.17 896 <span class="list-paths__item__arrow">›</span> 897 util-linux@2.39.3-9ubuntu6.3 898 <span class="list-paths__item__arrow">›</span> 899 pam/libpam0g@1.5.3-5ubuntu5.4 900 901 </span> 902 903 </li> 904 <li> 905 <span class="list-paths__item__introduced"><em>Introduced through</em>: 906 docker-image|quay.io/argoproj/argocd@v2.14.17 907 <span class="list-paths__item__arrow">›</span> 908 apt@2.8.3 909 <span class="list-paths__item__arrow">›</span> 910 adduser@3.137ubuntu1 911 <span class="list-paths__item__arrow">›</span> 912 shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 913 <span class="list-paths__item__arrow">›</span> 914 pam/libpam0g@1.5.3-5ubuntu5.4 915 916 </span> 917 918 </li> 919 <li> 920 <span class="list-paths__item__introduced"><em>Introduced through</em>: 921 docker-image|quay.io/argoproj/argocd@v2.14.17 922 <span class="list-paths__item__arrow">›</span> 923 apt@2.8.3 924 <span class="list-paths__item__arrow">›</span> 925 adduser@3.137ubuntu1 926 <span class="list-paths__item__arrow">›</span> 927 shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 928 <span class="list-paths__item__arrow">›</span> 929 pam/libpam-modules@1.5.3-5ubuntu5.4 930 <span class="list-paths__item__arrow">›</span> 931 pam/libpam0g@1.5.3-5ubuntu5.4 932 933 </span> 934 935 </li> 936 <li> 937 <span class="list-paths__item__introduced"><em>Introduced through</em>: 938 docker-image|quay.io/argoproj/argocd@v2.14.17 939 <span class="list-paths__item__arrow">›</span> 940 apt@2.8.3 941 <span class="list-paths__item__arrow">›</span> 942 adduser@3.137ubuntu1 943 <span class="list-paths__item__arrow">›</span> 944 shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 945 <span class="list-paths__item__arrow">›</span> 946 pam/libpam-modules@1.5.3-5ubuntu5.4 947 <span class="list-paths__item__arrow">›</span> 948 pam/libpam-modules-bin@1.5.3-5ubuntu5.4 949 <span class="list-paths__item__arrow">›</span> 950 pam/libpam0g@1.5.3-5ubuntu5.4 951 952 </span> 953 954 </li> 955 <li> 956 <span class="list-paths__item__introduced"><em>Introduced through</em>: 957 docker-image|quay.io/argoproj/argocd@v2.14.17 958 <span class="list-paths__item__arrow">›</span> 959 pam/libpam-modules-bin@1.5.3-5ubuntu5.4 960 961 </span> 962 963 </li> 964 <li> 965 <span class="list-paths__item__introduced"><em>Introduced through</em>: 966 docker-image|quay.io/argoproj/argocd@v2.14.17 967 <span class="list-paths__item__arrow">›</span> 968 apt@2.8.3 969 <span class="list-paths__item__arrow">›</span> 970 adduser@3.137ubuntu1 971 <span class="list-paths__item__arrow">›</span> 972 shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 973 <span class="list-paths__item__arrow">›</span> 974 pam/libpam-modules@1.5.3-5ubuntu5.4 975 <span class="list-paths__item__arrow">›</span> 976 pam/libpam-modules-bin@1.5.3-5ubuntu5.4 977 978 </span> 979 980 </li> 981 <li> 982 <span class="list-paths__item__introduced"><em>Introduced through</em>: 983 docker-image|quay.io/argoproj/argocd@v2.14.17 984 <span class="list-paths__item__arrow">›</span> 985 pam/libpam-modules@1.5.3-5ubuntu5.4 986 987 </span> 988 989 </li> 990 <li> 991 <span class="list-paths__item__introduced"><em>Introduced through</em>: 992 docker-image|quay.io/argoproj/argocd@v2.14.17 993 <span class="list-paths__item__arrow">›</span> 994 pam/libpam-runtime@1.5.3-5ubuntu5.4 995 <span class="list-paths__item__arrow">›</span> 996 pam/libpam-modules@1.5.3-5ubuntu5.4 997 998 </span> 999 1000 </li> 1001 <li> 1002 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1003 docker-image|quay.io/argoproj/argocd@v2.14.17 1004 <span class="list-paths__item__arrow">›</span> 1005 shadow/login@1:4.13+dfsg1-4ubuntu3.2 1006 <span class="list-paths__item__arrow">›</span> 1007 pam/libpam-modules@1.5.3-5ubuntu5.4 1008 1009 </span> 1010 1011 </li> 1012 <li> 1013 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1014 docker-image|quay.io/argoproj/argocd@v2.14.17 1015 <span class="list-paths__item__arrow">›</span> 1016 apt@2.8.3 1017 <span class="list-paths__item__arrow">›</span> 1018 adduser@3.137ubuntu1 1019 <span class="list-paths__item__arrow">›</span> 1020 shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 1021 <span class="list-paths__item__arrow">›</span> 1022 pam/libpam-modules@1.5.3-5ubuntu5.4 1023 1024 </span> 1025 1026 </li> 1027 <li> 1028 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1029 docker-image|quay.io/argoproj/argocd@v2.14.17 1030 <span class="list-paths__item__arrow">›</span> 1031 pam/libpam-runtime@1.5.3-5ubuntu5.4 1032 1033 </span> 1034 1035 </li> 1036 <li> 1037 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1038 docker-image|quay.io/argoproj/argocd@v2.14.17 1039 <span class="list-paths__item__arrow">›</span> 1040 shadow/login@1:4.13+dfsg1-4ubuntu3.2 1041 <span class="list-paths__item__arrow">›</span> 1042 pam/libpam-runtime@1.5.3-5ubuntu5.4 1043 1044 </span> 1045 1046 </li> 1047 </ul><!-- .list-paths --> 1048 1049 </div><!-- .card__section --> 1050 1051 <hr/> 1052 <!-- Overview --> 1053 <h2 id="nvd-description">NVD Description</h2> 1054 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>pam</code> package and not the <code>pam</code> package as distributed by <code>Ubuntu</code>.</em> 1055 <em>See <code>How to fix?</code> for <code>Ubuntu:24.04</code> relevant fixed versions and status.</em></p> 1056 <p>A vulnerability was found in PAM. The secret information is stored in memory, where the attacker can trigger the victim program to execute by sending characters to its standard input (stdin). As this occurs, the attacker can train the branch predictor to execute an ROP chain speculatively. This flaw could result in leaked passwords, such as those found in /etc/shadow while performing authentications.</p> 1057 <h2 id="remediation">Remediation</h2> 1058 <p>There is no fixed version for <code>Ubuntu:24.04</code> <code>pam</code>.</p> 1059 <h2 id="references">References</h2> 1060 <ul> 1061 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-10041">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-10041</a></li> 1062 <li><a href="https://access.redhat.com/security/cve/CVE-2024-10041">https://access.redhat.com/security/cve/CVE-2024-10041</a></li> 1063 <li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=2319212">https://bugzilla.redhat.com/show_bug.cgi?id=2319212</a></li> 1064 <li><a href="https://access.redhat.com/errata/RHSA-2024:9941">https://access.redhat.com/errata/RHSA-2024:9941</a></li> 1065 <li><a href="https://access.redhat.com/errata/RHSA-2024:10379">https://access.redhat.com/errata/RHSA-2024:10379</a></li> 1066 <li><a href="https://access.redhat.com/errata/RHSA-2024:11250">https://access.redhat.com/errata/RHSA-2024:11250</a></li> 1067 </ul> 1068 1069 <hr/> 1070 1071 <div class="cta card__cta"> 1072 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2404-PAM-8303372">More about this vulnerability</a></p> 1073 </div> 1074 1075 </div><!-- .card --> 1076 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1077 <h2 class="card__title">Improper Authentication</h2> 1078 <div class="card__section"> 1079 1080 <div class="card__labels"> 1081 <div class="label label--medium"> 1082 <span class="label__text">medium severity</span> 1083 </div> 1084 </div> 1085 1086 <hr/> 1087 1088 <ul class="card__meta"> 1089 <li class="card__meta__item"> 1090 Manifest file: quay.io/argoproj/argocd:v2.14.17/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 1091 </li> 1092 <li class="card__meta__item"> 1093 Package Manager: ubuntu:24.04 1094 </li> 1095 <li class="card__meta__item"> 1096 Vulnerable module: 1097 1098 pam/libpam0g 1099 </li> 1100 1101 <li class="card__meta__item">Introduced through: 1102 1103 docker-image|quay.io/argoproj/argocd@v2.14.17 and pam/libpam0g@1.5.3-5ubuntu5.4 1104 1105 </li> 1106 </ul> 1107 1108 <hr/> 1109 1110 1111 <h3 class="card__section__title">Detailed paths</h3> 1112 1113 <ul class="card__meta__paths"> 1114 <li> 1115 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1116 docker-image|quay.io/argoproj/argocd@v2.14.17 1117 <span class="list-paths__item__arrow">›</span> 1118 pam/libpam0g@1.5.3-5ubuntu5.4 1119 1120 </span> 1121 1122 </li> 1123 <li> 1124 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1125 docker-image|quay.io/argoproj/argocd@v2.14.17 1126 <span class="list-paths__item__arrow">›</span> 1127 shadow/login@1:4.13+dfsg1-4ubuntu3.2 1128 <span class="list-paths__item__arrow">›</span> 1129 pam/libpam0g@1.5.3-5ubuntu5.4 1130 1131 </span> 1132 1133 </li> 1134 <li> 1135 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1136 docker-image|quay.io/argoproj/argocd@v2.14.17 1137 <span class="list-paths__item__arrow">›</span> 1138 util-linux@2.39.3-9ubuntu6.3 1139 <span class="list-paths__item__arrow">›</span> 1140 pam/libpam0g@1.5.3-5ubuntu5.4 1141 1142 </span> 1143 1144 </li> 1145 <li> 1146 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1147 docker-image|quay.io/argoproj/argocd@v2.14.17 1148 <span class="list-paths__item__arrow">›</span> 1149 apt@2.8.3 1150 <span class="list-paths__item__arrow">›</span> 1151 adduser@3.137ubuntu1 1152 <span class="list-paths__item__arrow">›</span> 1153 shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 1154 <span class="list-paths__item__arrow">›</span> 1155 pam/libpam0g@1.5.3-5ubuntu5.4 1156 1157 </span> 1158 1159 </li> 1160 <li> 1161 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1162 docker-image|quay.io/argoproj/argocd@v2.14.17 1163 <span class="list-paths__item__arrow">›</span> 1164 apt@2.8.3 1165 <span class="list-paths__item__arrow">›</span> 1166 adduser@3.137ubuntu1 1167 <span class="list-paths__item__arrow">›</span> 1168 shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 1169 <span class="list-paths__item__arrow">›</span> 1170 pam/libpam-modules@1.5.3-5ubuntu5.4 1171 <span class="list-paths__item__arrow">›</span> 1172 pam/libpam0g@1.5.3-5ubuntu5.4 1173 1174 </span> 1175 1176 </li> 1177 <li> 1178 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1179 docker-image|quay.io/argoproj/argocd@v2.14.17 1180 <span class="list-paths__item__arrow">›</span> 1181 apt@2.8.3 1182 <span class="list-paths__item__arrow">›</span> 1183 adduser@3.137ubuntu1 1184 <span class="list-paths__item__arrow">›</span> 1185 shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 1186 <span class="list-paths__item__arrow">›</span> 1187 pam/libpam-modules@1.5.3-5ubuntu5.4 1188 <span class="list-paths__item__arrow">›</span> 1189 pam/libpam-modules-bin@1.5.3-5ubuntu5.4 1190 <span class="list-paths__item__arrow">›</span> 1191 pam/libpam0g@1.5.3-5ubuntu5.4 1192 1193 </span> 1194 1195 </li> 1196 <li> 1197 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1198 docker-image|quay.io/argoproj/argocd@v2.14.17 1199 <span class="list-paths__item__arrow">›</span> 1200 pam/libpam-modules-bin@1.5.3-5ubuntu5.4 1201 1202 </span> 1203 1204 </li> 1205 <li> 1206 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1207 docker-image|quay.io/argoproj/argocd@v2.14.17 1208 <span class="list-paths__item__arrow">›</span> 1209 apt@2.8.3 1210 <span class="list-paths__item__arrow">›</span> 1211 adduser@3.137ubuntu1 1212 <span class="list-paths__item__arrow">›</span> 1213 shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 1214 <span class="list-paths__item__arrow">›</span> 1215 pam/libpam-modules@1.5.3-5ubuntu5.4 1216 <span class="list-paths__item__arrow">›</span> 1217 pam/libpam-modules-bin@1.5.3-5ubuntu5.4 1218 1219 </span> 1220 1221 </li> 1222 <li> 1223 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1224 docker-image|quay.io/argoproj/argocd@v2.14.17 1225 <span class="list-paths__item__arrow">›</span> 1226 pam/libpam-modules@1.5.3-5ubuntu5.4 1227 1228 </span> 1229 1230 </li> 1231 <li> 1232 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1233 docker-image|quay.io/argoproj/argocd@v2.14.17 1234 <span class="list-paths__item__arrow">›</span> 1235 pam/libpam-runtime@1.5.3-5ubuntu5.4 1236 <span class="list-paths__item__arrow">›</span> 1237 pam/libpam-modules@1.5.3-5ubuntu5.4 1238 1239 </span> 1240 1241 </li> 1242 <li> 1243 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1244 docker-image|quay.io/argoproj/argocd@v2.14.17 1245 <span class="list-paths__item__arrow">›</span> 1246 shadow/login@1:4.13+dfsg1-4ubuntu3.2 1247 <span class="list-paths__item__arrow">›</span> 1248 pam/libpam-modules@1.5.3-5ubuntu5.4 1249 1250 </span> 1251 1252 </li> 1253 <li> 1254 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1255 docker-image|quay.io/argoproj/argocd@v2.14.17 1256 <span class="list-paths__item__arrow">›</span> 1257 apt@2.8.3 1258 <span class="list-paths__item__arrow">›</span> 1259 adduser@3.137ubuntu1 1260 <span class="list-paths__item__arrow">›</span> 1261 shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 1262 <span class="list-paths__item__arrow">›</span> 1263 pam/libpam-modules@1.5.3-5ubuntu5.4 1264 1265 </span> 1266 1267 </li> 1268 <li> 1269 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1270 docker-image|quay.io/argoproj/argocd@v2.14.17 1271 <span class="list-paths__item__arrow">›</span> 1272 pam/libpam-runtime@1.5.3-5ubuntu5.4 1273 1274 </span> 1275 1276 </li> 1277 <li> 1278 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1279 docker-image|quay.io/argoproj/argocd@v2.14.17 1280 <span class="list-paths__item__arrow">›</span> 1281 shadow/login@1:4.13+dfsg1-4ubuntu3.2 1282 <span class="list-paths__item__arrow">›</span> 1283 pam/libpam-runtime@1.5.3-5ubuntu5.4 1284 1285 </span> 1286 1287 </li> 1288 </ul><!-- .list-paths --> 1289 1290 </div><!-- .card__section --> 1291 1292 <hr/> 1293 <!-- Overview --> 1294 <h2 id="nvd-description">NVD Description</h2> 1295 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>pam</code> package and not the <code>pam</code> package as distributed by <code>Ubuntu</code>.</em> 1296 <em>See <code>How to fix?</code> for <code>Ubuntu:24.04</code> relevant fixed versions and status.</em></p> 1297 <p>A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals.</p> 1298 <h2 id="remediation">Remediation</h2> 1299 <p>There is no fixed version for <code>Ubuntu:24.04</code> <code>pam</code>.</p> 1300 <h2 id="references">References</h2> 1301 <ul> 1302 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-10963">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-10963</a></li> 1303 <li><a href="https://access.redhat.com/security/cve/CVE-2024-10963">https://access.redhat.com/security/cve/CVE-2024-10963</a></li> 1304 <li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=2324291">https://bugzilla.redhat.com/show_bug.cgi?id=2324291</a></li> 1305 <li><a href="https://access.redhat.com/errata/RHSA-2024:10232">https://access.redhat.com/errata/RHSA-2024:10232</a></li> 1306 <li><a href="https://access.redhat.com/errata/RHSA-2024:10244">https://access.redhat.com/errata/RHSA-2024:10244</a></li> 1307 <li><a href="https://access.redhat.com/errata/RHSA-2024:10379">https://access.redhat.com/errata/RHSA-2024:10379</a></li> 1308 <li><a href="https://access.redhat.com/errata/RHSA-2024:10518">https://access.redhat.com/errata/RHSA-2024:10518</a></li> 1309 <li><a href="https://access.redhat.com/errata/RHSA-2024:10528">https://access.redhat.com/errata/RHSA-2024:10528</a></li> 1310 <li><a href="https://access.redhat.com/errata/RHSA-2024:10852">https://access.redhat.com/errata/RHSA-2024:10852</a></li> 1311 </ul> 1312 1313 <hr/> 1314 1315 <div class="cta card__cta"> 1316 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2404-PAM-8352843">More about this vulnerability</a></p> 1317 </div> 1318 1319 </div><!-- .card --> 1320 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1321 <h2 class="card__title">LGPL-3.0 license</h2> 1322 <div class="card__section"> 1323 1324 <div class="card__labels"> 1325 <div class="label label--medium"> 1326 <span class="label__text">medium severity</span> 1327 </div> 1328 </div> 1329 1330 <hr/> 1331 1332 <ul class="card__meta"> 1333 <li class="card__meta__item"> 1334 Manifest file: quay.io/argoproj/argocd:v2.14.17/argoproj/argo-cd/v2 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd 1335 </li> 1336 <li class="card__meta__item"> 1337 Package Manager: golang 1338 </li> 1339 <li class="card__meta__item"> 1340 Module: 1341 1342 gopkg.in/retry.v1 1343 </li> 1344 1345 <li class="card__meta__item">Introduced through: 1346 1347 github.com/argoproj/argo-cd/v2@* and gopkg.in/retry.v1@v1.0.3 1348 1349 </li> 1350 </ul> 1351 1352 <hr/> 1353 1354 1355 <h3 class="card__section__title">Detailed paths</h3> 1356 1357 <ul class="card__meta__paths"> 1358 <li> 1359 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1360 github.com/argoproj/argo-cd/v2@* 1361 <span class="list-paths__item__arrow">›</span> 1362 gopkg.in/retry.v1@v1.0.3 1363 1364 </span> 1365 1366 </li> 1367 </ul><!-- .list-paths --> 1368 1369 </div><!-- .card__section --> 1370 1371 <hr/> 1372 <!-- Overview --> 1373 <p>LGPL-3.0 license</p> 1374 1375 <hr/> 1376 1377 <div class="cta card__cta"> 1378 <p><a href="https://snyk.io/vuln/snyk:lic:golang:gopkg.in:retry.v1:LGPL-3.0">More about this vulnerability</a></p> 1379 </div> 1380 1381 </div><!-- .card --> 1382 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1383 <h2 class="card__title">Improper Validation of Syntactic Correctness of Input</h2> 1384 <div class="card__section"> 1385 1386 <div class="card__labels"> 1387 <div class="label label--medium"> 1388 <span class="label__text">medium severity</span> 1389 </div> 1390 </div> 1391 1392 <hr/> 1393 1394 <ul class="card__meta"> 1395 <li class="card__meta__item"> 1396 Manifest file: quay.io/argoproj/argocd:v2.14.17/helm/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/helm 1397 </li> 1398 <li class="card__meta__item"> 1399 Package Manager: golang 1400 </li> 1401 <li class="card__meta__item"> 1402 Vulnerable module: 1403 1404 golang.org/x/net/html 1405 </li> 1406 1407 <li class="card__meta__item">Introduced through: 1408 1409 helm.sh/helm/v3@* and golang.org/x/net/html@v0.26.0 1410 1411 </li> 1412 </ul> 1413 1414 <hr/> 1415 1416 1417 <h3 class="card__section__title">Detailed paths</h3> 1418 1419 <ul class="card__meta__paths"> 1420 <li> 1421 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1422 helm.sh/helm/v3@* 1423 <span class="list-paths__item__arrow">›</span> 1424 golang.org/x/net/html@v0.26.0 1425 1426 </span> 1427 1428 </li> 1429 </ul><!-- .list-paths --> 1430 1431 </div><!-- .card__section --> 1432 1433 <hr/> 1434 <!-- Overview --> 1435 <h2 id="overview">Overview</h2> 1436 <p><a href="https://pkg.go.dev/golang.org/x/net/html">golang.org/x/net/html</a> is a package that implements an HTML5-compliant tokenizer and parser.</p> 1437 <p>Affected versions of this package are vulnerable to Improper Validation of Syntactic Correctness of Input in the tokenizer in <code>token.go</code>, which incorrectly interprets tags as closing tags, allowing malicious input to be incorrectly processed and the DOM to be corrupted.</p> 1438 <h2 id="details">Details</h2> 1439 <p>Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.</p> 1440 <p>This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.</p> 1441 <p>Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.</p> 1442 <p>Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, <code><</code> can be coded as <code>&lt</code>; and <code>></code> can be coded as <code>&gt</code>; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses <code><</code> and <code>></code> as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.</p> 1443 <p>The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware. </p> 1444 <h3 id="types-of-attacks">Types of attacks</h3> 1445 <p>There are a few methods by which XSS can be manipulated:</p> 1446 <table> 1447 <thead> 1448 <tr> 1449 <th>Type</th> 1450 <th>Origin</th> 1451 <th>Description</th> 1452 </tr> 1453 </thead> 1454 <tbody><tr> 1455 <td><strong>Stored</strong></td> 1456 <td>Server</td> 1457 <td>The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.</td> 1458 </tr> 1459 <tr> 1460 <td><strong>Reflected</strong></td> 1461 <td>Server</td> 1462 <td>The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.</td> 1463 </tr> 1464 <tr> 1465 <td><strong>DOM-based</strong></td> 1466 <td>Client</td> 1467 <td>The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.</td> 1468 </tr> 1469 <tr> 1470 <td><strong>Mutated</strong></td> 1471 <td></td> 1472 <td>The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.</td> 1473 </tr> 1474 </tbody></table> 1475 <h3 id="affected-environments">Affected environments</h3> 1476 <p>The following environments are susceptible to an XSS attack:</p> 1477 <ul> 1478 <li>Web servers</li> 1479 <li>Application servers</li> 1480 <li>Web application environments</li> 1481 </ul> 1482 <h3 id="how-to-prevent">How to prevent</h3> 1483 <p>This section describes the top best practices designed to specifically protect your code: </p> 1484 <ul> 1485 <li>Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. </li> 1486 <li>Convert special characters such as <code>?</code>, <code>&</code>, <code>/</code>, <code><</code>, <code>></code> and spaces to their respective HTML or URL encoded equivalents. </li> 1487 <li>Give users the option to disable client-side scripts.</li> 1488 <li>Redirect invalid requests.</li> 1489 <li>Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.</li> 1490 <li>Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.</li> 1491 <li>Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.</li> 1492 </ul> 1493 <h2 id="remediation">Remediation</h2> 1494 <p>Upgrade <code>golang.org/x/net/html</code> to version 0.38.0 or higher.</p> 1495 <h2 id="references">References</h2> 1496 <ul> 1497 <li><a href="https://github.com/golang/net/commit/e1fcd82abba34df74614020343be8eb1fe85f0d9">GitHub Commit</a></li> 1498 <li><a href="https://github.com/golang/go/issues/73070">GitHub Issue</a></li> 1499 <li><a href="https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA">Google Groups Announcement</a></li> 1500 </ul> 1501 1502 <hr/> 1503 1504 <div class="cta card__cta"> 1505 <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTML-9572088">More about this vulnerability</a></p> 1506 </div> 1507 1508 </div><!-- .card --> 1509 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1510 <h2 class="card__title">CVE-2025-8058</h2> 1511 <div class="card__section"> 1512 1513 <div class="card__labels"> 1514 <div class="label label--medium"> 1515 <span class="label__text">medium severity</span> 1516 </div> 1517 </div> 1518 1519 <hr/> 1520 1521 <ul class="card__meta"> 1522 <li class="card__meta__item"> 1523 Manifest file: quay.io/argoproj/argocd:v2.14.17/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 1524 </li> 1525 <li class="card__meta__item"> 1526 Package Manager: ubuntu:24.04 1527 </li> 1528 <li class="card__meta__item"> 1529 Vulnerable module: 1530 1531 glibc/libc-bin 1532 </li> 1533 1534 <li class="card__meta__item">Introduced through: 1535 1536 docker-image|quay.io/argoproj/argocd@v2.14.17 and glibc/libc-bin@2.39-0ubuntu8.5 1537 1538 </li> 1539 </ul> 1540 1541 <hr/> 1542 1543 1544 <h3 class="card__section__title">Detailed paths</h3> 1545 1546 <ul class="card__meta__paths"> 1547 <li> 1548 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1549 docker-image|quay.io/argoproj/argocd@v2.14.17 1550 <span class="list-paths__item__arrow">›</span> 1551 glibc/libc-bin@2.39-0ubuntu8.5 1552 1553 </span> 1554 1555 </li> 1556 <li> 1557 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1558 docker-image|quay.io/argoproj/argocd@v2.14.17 1559 <span class="list-paths__item__arrow">›</span> 1560 glibc/libc6@2.39-0ubuntu8.5 1561 1562 </span> 1563 1564 </li> 1565 </ul><!-- .list-paths --> 1566 1567 </div><!-- .card__section --> 1568 1569 <hr/> 1570 <!-- Overview --> 1571 <h2 id="nvd-description">NVD Description</h2> 1572 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>glibc</code> package and not the <code>glibc</code> package as distributed by <code>Ubuntu</code>.</em> 1573 <em>See <code>How to fix?</code> for <code>Ubuntu:24.04</code> relevant fixed versions and status.</em></p> 1574 <p>The regcomp function in the GNU C library version from 2.4 to 2.41 is 1575 subject to a double free if some previous allocation fails. It can be 1576 accomplished either by a malloc failure or by using an interposed malloc 1577 that injects random malloc failures. The double free can allow buffer 1578 manipulation depending of how the regex is constructed. This issue 1579 affects all architectures and ABIs supported by the GNU C library.</p> 1580 <h2 id="remediation">Remediation</h2> 1581 <p>There is no fixed version for <code>Ubuntu:24.04</code> <code>glibc</code>.</p> 1582 <h2 id="references">References</h2> 1583 <ul> 1584 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-8058">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-8058</a></li> 1585 <li><a href="https://sourceware.org/bugzilla/show_bug.cgi?id=33185">https://sourceware.org/bugzilla/show_bug.cgi?id=33185</a></li> 1586 <li><a href="https://sourceware.org/git/?p=glibc.git;a=commit;h=3ff17af18c38727b88d9115e536c069e6b5d601f">https://sourceware.org/git/?p=glibc.git;a=commit;h=3ff17af18c38727b88d9115e536c069e6b5d601f</a></li> 1587 </ul> 1588 1589 <hr/> 1590 1591 <div class="cta card__cta"> 1592 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2404-GLIBC-11031045">More about this vulnerability</a></p> 1593 </div> 1594 1595 </div><!-- .card --> 1596 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1597 <h2 class="card__title">MPL-2.0 license</h2> 1598 <div class="card__section"> 1599 1600 <div class="card__labels"> 1601 <div class="label label--medium"> 1602 <span class="label__text">medium severity</span> 1603 </div> 1604 </div> 1605 1606 <hr/> 1607 1608 <ul class="card__meta"> 1609 <li class="card__meta__item"> 1610 Manifest file: quay.io/argoproj/argocd:v2.14.17/argoproj/argo-cd/v2 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd 1611 </li> 1612 <li class="card__meta__item"> 1613 Package Manager: golang 1614 </li> 1615 <li class="card__meta__item"> 1616 Module: 1617 1618 github.com/r3labs/diff 1619 </li> 1620 1621 <li class="card__meta__item">Introduced through: 1622 1623 github.com/argoproj/argo-cd/v2@* and github.com/r3labs/diff@v1.1.0 1624 1625 </li> 1626 </ul> 1627 1628 <hr/> 1629 1630 1631 <h3 class="card__section__title">Detailed paths</h3> 1632 1633 <ul class="card__meta__paths"> 1634 <li> 1635 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1636 github.com/argoproj/argo-cd/v2@* 1637 <span class="list-paths__item__arrow">›</span> 1638 github.com/r3labs/diff@v1.1.0 1639 1640 </span> 1641 1642 </li> 1643 </ul><!-- .list-paths --> 1644 1645 </div><!-- .card__section --> 1646 1647 <hr/> 1648 <!-- Overview --> 1649 <p>MPL-2.0 license</p> 1650 1651 <hr/> 1652 1653 <div class="cta card__cta"> 1654 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:r3labs:diff:MPL-2.0">More about this vulnerability</a></p> 1655 </div> 1656 1657 </div><!-- .card --> 1658 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1659 <h2 class="card__title">MPL-2.0 license</h2> 1660 <div class="card__section"> 1661 1662 <div class="card__labels"> 1663 <div class="label label--medium"> 1664 <span class="label__text">medium severity</span> 1665 </div> 1666 </div> 1667 1668 <hr/> 1669 1670 <ul class="card__meta"> 1671 <li class="card__meta__item"> 1672 Manifest file: quay.io/argoproj/argocd:v2.14.17/argoproj/argo-cd/v2 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd 1673 </li> 1674 <li class="card__meta__item"> 1675 Package Manager: golang 1676 </li> 1677 <li class="card__meta__item"> 1678 Module: 1679 1680 github.com/hashicorp/go-version 1681 </li> 1682 1683 <li class="card__meta__item">Introduced through: 1684 1685 github.com/argoproj/argo-cd/v2@* and github.com/hashicorp/go-version@v1.6.0 1686 1687 </li> 1688 </ul> 1689 1690 <hr/> 1691 1692 1693 <h3 class="card__section__title">Detailed paths</h3> 1694 1695 <ul class="card__meta__paths"> 1696 <li> 1697 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1698 github.com/argoproj/argo-cd/v2@* 1699 <span class="list-paths__item__arrow">›</span> 1700 github.com/hashicorp/go-version@v1.6.0 1701 1702 </span> 1703 1704 </li> 1705 </ul><!-- .list-paths --> 1706 1707 </div><!-- .card__section --> 1708 1709 <hr/> 1710 <!-- Overview --> 1711 <p>MPL-2.0 license</p> 1712 1713 <hr/> 1714 1715 <div class="cta card__cta"> 1716 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-version:MPL-2.0">More about this vulnerability</a></p> 1717 </div> 1718 1719 </div><!-- .card --> 1720 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1721 <h2 class="card__title">MPL-2.0 license</h2> 1722 <div class="card__section"> 1723 1724 <div class="card__labels"> 1725 <div class="label label--medium"> 1726 <span class="label__text">medium severity</span> 1727 </div> 1728 </div> 1729 1730 <hr/> 1731 1732 <ul class="card__meta"> 1733 <li class="card__meta__item"> 1734 Manifest file: quay.io/argoproj/argocd:v2.14.17/argoproj/argo-cd/v2 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd 1735 </li> 1736 <li class="card__meta__item"> 1737 Package Manager: golang 1738 </li> 1739 <li class="card__meta__item"> 1740 Module: 1741 1742 github.com/hashicorp/go-retryablehttp 1743 </li> 1744 1745 <li class="card__meta__item">Introduced through: 1746 1747 github.com/argoproj/argo-cd/v2@* and github.com/hashicorp/go-retryablehttp@v0.7.7 1748 1749 </li> 1750 </ul> 1751 1752 <hr/> 1753 1754 1755 <h3 class="card__section__title">Detailed paths</h3> 1756 1757 <ul class="card__meta__paths"> 1758 <li> 1759 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1760 github.com/argoproj/argo-cd/v2@* 1761 <span class="list-paths__item__arrow">›</span> 1762 github.com/hashicorp/go-retryablehttp@v0.7.7 1763 1764 </span> 1765 1766 </li> 1767 </ul><!-- .list-paths --> 1768 1769 </div><!-- .card__section --> 1770 1771 <hr/> 1772 <!-- Overview --> 1773 <p>MPL-2.0 license</p> 1774 1775 <hr/> 1776 1777 <div class="cta card__cta"> 1778 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-retryablehttp:MPL-2.0">More about this vulnerability</a></p> 1779 </div> 1780 1781 </div><!-- .card --> 1782 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1783 <h2 class="card__title">MPL-2.0 license</h2> 1784 <div class="card__section"> 1785 1786 <div class="card__labels"> 1787 <div class="label label--medium"> 1788 <span class="label__text">medium severity</span> 1789 </div> 1790 </div> 1791 1792 <hr/> 1793 1794 <ul class="card__meta"> 1795 <li class="card__meta__item"> 1796 Manifest file: quay.io/argoproj/argocd:v2.14.17/helm/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/helm 1797 </li> 1798 <li class="card__meta__item"> 1799 Package Manager: golang 1800 </li> 1801 <li class="card__meta__item"> 1802 Module: 1803 1804 github.com/hashicorp/go-multierror 1805 </li> 1806 1807 <li class="card__meta__item">Introduced through: 1808 1809 helm.sh/helm/v3@* and github.com/hashicorp/go-multierror@v1.1.1 1810 1811 </li> 1812 </ul> 1813 1814 <hr/> 1815 1816 1817 <h3 class="card__section__title">Detailed paths</h3> 1818 1819 <ul class="card__meta__paths"> 1820 <li> 1821 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1822 helm.sh/helm/v3@* 1823 <span class="list-paths__item__arrow">›</span> 1824 github.com/hashicorp/go-multierror@v1.1.1 1825 1826 </span> 1827 1828 </li> 1829 </ul><!-- .list-paths --> 1830 1831 </div><!-- .card__section --> 1832 1833 <hr/> 1834 <!-- Overview --> 1835 <p>MPL-2.0 license</p> 1836 1837 <hr/> 1838 1839 <div class="cta card__cta"> 1840 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-multierror:MPL-2.0">More about this vulnerability</a></p> 1841 </div> 1842 1843 </div><!-- .card --> 1844 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1845 <h2 class="card__title">MPL-2.0 license</h2> 1846 <div class="card__section"> 1847 1848 <div class="card__labels"> 1849 <div class="label label--medium"> 1850 <span class="label__text">medium severity</span> 1851 </div> 1852 </div> 1853 1854 <hr/> 1855 1856 <ul class="card__meta"> 1857 <li class="card__meta__item"> 1858 Manifest file: quay.io/argoproj/argocd:v2.14.17/argoproj/argo-cd/v2 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd 1859 </li> 1860 <li class="card__meta__item"> 1861 Package Manager: golang 1862 </li> 1863 <li class="card__meta__item"> 1864 Module: 1865 1866 github.com/hashicorp/go-cleanhttp 1867 </li> 1868 1869 <li class="card__meta__item">Introduced through: 1870 1871 github.com/argoproj/argo-cd/v2@* and github.com/hashicorp/go-cleanhttp@v0.5.2 1872 1873 </li> 1874 </ul> 1875 1876 <hr/> 1877 1878 1879 <h3 class="card__section__title">Detailed paths</h3> 1880 1881 <ul class="card__meta__paths"> 1882 <li> 1883 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1884 github.com/argoproj/argo-cd/v2@* 1885 <span class="list-paths__item__arrow">›</span> 1886 github.com/hashicorp/go-cleanhttp@v0.5.2 1887 1888 </span> 1889 1890 </li> 1891 </ul><!-- .list-paths --> 1892 1893 </div><!-- .card__section --> 1894 1895 <hr/> 1896 <!-- Overview --> 1897 <p>MPL-2.0 license</p> 1898 1899 <hr/> 1900 1901 <div class="cta card__cta"> 1902 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-cleanhttp:MPL-2.0">More about this vulnerability</a></p> 1903 </div> 1904 1905 </div><!-- .card --> 1906 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1907 <h2 class="card__title">MPL-2.0 license</h2> 1908 <div class="card__section"> 1909 1910 <div class="card__labels"> 1911 <div class="label label--medium"> 1912 <span class="label__text">medium severity</span> 1913 </div> 1914 </div> 1915 1916 <hr/> 1917 1918 <ul class="card__meta"> 1919 <li class="card__meta__item"> 1920 Manifest file: quay.io/argoproj/argocd:v2.14.17/argoproj/argo-cd/v2 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd 1921 </li> 1922 <li class="card__meta__item"> 1923 Package Manager: golang 1924 </li> 1925 <li class="card__meta__item"> 1926 Module: 1927 1928 github.com/gosimple/slug 1929 </li> 1930 1931 <li class="card__meta__item">Introduced through: 1932 1933 github.com/argoproj/argo-cd/v2@* and github.com/gosimple/slug@v1.14.0 1934 1935 </li> 1936 </ul> 1937 1938 <hr/> 1939 1940 1941 <h3 class="card__section__title">Detailed paths</h3> 1942 1943 <ul class="card__meta__paths"> 1944 <li> 1945 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1946 github.com/argoproj/argo-cd/v2@* 1947 <span class="list-paths__item__arrow">›</span> 1948 github.com/gosimple/slug@v1.14.0 1949 1950 </span> 1951 1952 </li> 1953 </ul><!-- .list-paths --> 1954 1955 </div><!-- .card__section --> 1956 1957 <hr/> 1958 <!-- Overview --> 1959 <p>MPL-2.0 license</p> 1960 1961 <hr/> 1962 1963 <div class="cta card__cta"> 1964 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:gosimple:slug:MPL-2.0">More about this vulnerability</a></p> 1965 </div> 1966 1967 </div><!-- .card --> 1968 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1969 <h2 class="card__title">Allocation of Resources Without Limits or Throttling</h2> 1970 <div class="card__section"> 1971 1972 <div class="card__labels"> 1973 <div class="label label--medium"> 1974 <span class="label__text">medium severity</span> 1975 </div> 1976 </div> 1977 1978 <hr/> 1979 1980 <ul class="card__meta"> 1981 <li class="card__meta__item"> 1982 Manifest file: quay.io/argoproj/argocd:v2.14.17/argoproj/argo-cd/v2 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd 1983 </li> 1984 <li class="card__meta__item"> 1985 Package Manager: golang 1986 </li> 1987 <li class="card__meta__item"> 1988 Vulnerable module: 1989 1990 github.com/go-jose/go-jose/v4 1991 </li> 1992 1993 <li class="card__meta__item">Introduced through: 1994 1995 github.com/argoproj/argo-cd/v2@* and github.com/go-jose/go-jose/v4@v4.0.2 1996 1997 </li> 1998 </ul> 1999 2000 <hr/> 2001 2002 2003 <h3 class="card__section__title">Detailed paths</h3> 2004 2005 <ul class="card__meta__paths"> 2006 <li> 2007 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2008 github.com/argoproj/argo-cd/v2@* 2009 <span class="list-paths__item__arrow">›</span> 2010 github.com/go-jose/go-jose/v4@v4.0.2 2011 2012 </span> 2013 2014 </li> 2015 </ul><!-- .list-paths --> 2016 2017 </div><!-- .card__section --> 2018 2019 <hr/> 2020 <!-- Overview --> 2021 <h2 id="overview">Overview</h2> 2022 <p>Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the use of <code>strings.Split</code> to split JWT tokens. An attacker can cause memory exhaustion and service disruption by sending numerous malformed tokens with a large number of <code>.</code> characters. </p> 2023 <h2 id="workaround">Workaround</h2> 2024 <p>This vulnerability can be mitigated by pre-validating that payloads passed to Go JOSE do not contain an excessive number of <code>.</code> characters.</p> 2025 <h2 id="remediation">Remediation</h2> 2026 <p>Upgrade <code>github.com/go-jose/go-jose/v4</code> to version 4.0.5 or higher.</p> 2027 <h2 id="references">References</h2> 2028 <ul> 2029 <li><a href="https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22">GitHub Commit</a></li> 2030 <li><a href="https://github.com/go-jose/go-jose/releases/tag/v4.0.5">GitHub Release</a></li> 2031 </ul> 2032 2033 <hr/> 2034 2035 <div class="cta card__cta"> 2036 <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOJOSEGOJOSEV4-8745975">More about this vulnerability</a></p> 2037 </div> 2038 2039 </div><!-- .card --> 2040 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 2041 <h2 class="card__title">Improper Encoding or Escaping of Output</h2> 2042 <div class="card__section"> 2043 2044 <div class="card__labels"> 2045 <div class="label label--medium"> 2046 <span class="label__text">medium severity</span> 2047 </div> 2048 </div> 2049 2050 <hr/> 2051 2052 <ul class="card__meta"> 2053 <li class="card__meta__item"> 2054 Manifest file: quay.io/argoproj/argocd:v2.14.17/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 2055 </li> 2056 <li class="card__meta__item"> 2057 Package Manager: ubuntu:24.04 2058 </li> 2059 <li class="card__meta__item"> 2060 Vulnerable module: 2061 2062 git/git-man 2063 </li> 2064 2065 <li class="card__meta__item">Introduced through: 2066 2067 2068 docker-image|quay.io/argoproj/argocd@v2.14.17, git@1:2.43.0-1ubuntu7.3 and others 2069 </li> 2070 </ul> 2071 2072 <hr/> 2073 2074 2075 <h3 class="card__section__title">Detailed paths</h3> 2076 2077 <ul class="card__meta__paths"> 2078 <li> 2079 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2080 docker-image|quay.io/argoproj/argocd@v2.14.17 2081 <span class="list-paths__item__arrow">›</span> 2082 git@1:2.43.0-1ubuntu7.3 2083 <span class="list-paths__item__arrow">›</span> 2084 git/git-man@1:2.43.0-1ubuntu7.3 2085 2086 </span> 2087 2088 </li> 2089 <li> 2090 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2091 docker-image|quay.io/argoproj/argocd@v2.14.17 2092 <span class="list-paths__item__arrow">›</span> 2093 git@1:2.43.0-1ubuntu7.3 2094 2095 </span> 2096 2097 </li> 2098 <li> 2099 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2100 docker-image|quay.io/argoproj/argocd@v2.14.17 2101 <span class="list-paths__item__arrow">›</span> 2102 git-lfs@3.4.1-1ubuntu0.3 2103 <span class="list-paths__item__arrow">›</span> 2104 git@1:2.43.0-1ubuntu7.3 2105 2106 </span> 2107 2108 </li> 2109 </ul><!-- .list-paths --> 2110 2111 </div><!-- .card__section --> 2112 2113 <hr/> 2114 <!-- Overview --> 2115 <h2 id="nvd-description">NVD Description</h2> 2116 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>git</code> package and not the <code>git</code> package as distributed by <code>Ubuntu</code>.</em> 2117 <em>See <code>How to fix?</code> for <code>Ubuntu:24.04</code> relevant fixed versions and status.</em></p> 2118 <p>Git is a source code management tool. When cloning from a server (or fetching, or pushing), informational or error messages are transported from the remote Git process to the client via the so-called "sideband channel". These messages will be prefixed with "remote:" and printed directly to the standard error output. Typically, this standard error output is connected to a terminal that understands ANSI escape sequences, which Git did not protect against. Most modern terminals support control sequences that can be used by a malicious actor to hide and misrepresent information, or to mislead the user into executing untrusted scripts. As requested on the git-security mailing list, the patches are under discussion on the public mailing list. Users are advised to update as soon as possible. Users unable to upgrade should avoid recursive clones unless they are from trusted sources.</p> 2119 <h2 id="remediation">Remediation</h2> 2120 <p>There is no fixed version for <code>Ubuntu:24.04</code> <code>git</code>.</p> 2121 <h2 id="references">References</h2> 2122 <ul> 2123 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-52005">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-52005</a></li> 2124 <li><a href="https://github.com/git/git/security/advisories/GHSA-7jjc-gg6m-3329">https://github.com/git/git/security/advisories/GHSA-7jjc-gg6m-3329</a></li> 2125 <li><a href="https://lore.kernel.org/git/1M9FnZ-1taoNo1wwh-00ESSd@mail.gmx.net">https://lore.kernel.org/git/1M9FnZ-1taoNo1wwh-00ESSd@mail.gmx.net</a></li> 2126 </ul> 2127 2128 <hr/> 2129 2130 <div class="cta card__cta"> 2131 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2404-GIT-8637112">More about this vulnerability</a></p> 2132 </div> 2133 2134 </div><!-- .card --> 2135 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 2136 <h2 class="card__title">CVE-2024-56433</h2> 2137 <div class="card__section"> 2138 2139 <div class="card__labels"> 2140 <div class="label label--low"> 2141 <span class="label__text">low severity</span> 2142 </div> 2143 </div> 2144 2145 <hr/> 2146 2147 <ul class="card__meta"> 2148 <li class="card__meta__item"> 2149 Manifest file: quay.io/argoproj/argocd:v2.14.17/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 2150 </li> 2151 <li class="card__meta__item"> 2152 Package Manager: ubuntu:24.04 2153 </li> 2154 <li class="card__meta__item"> 2155 Vulnerable module: 2156 2157 shadow/passwd 2158 </li> 2159 2160 <li class="card__meta__item">Introduced through: 2161 2162 docker-image|quay.io/argoproj/argocd@v2.14.17 and shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 2163 2164 </li> 2165 </ul> 2166 2167 <hr/> 2168 2169 2170 <h3 class="card__section__title">Detailed paths</h3> 2171 2172 <ul class="card__meta__paths"> 2173 <li> 2174 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2175 docker-image|quay.io/argoproj/argocd@v2.14.17 2176 <span class="list-paths__item__arrow">›</span> 2177 shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 2178 2179 </span> 2180 2181 </li> 2182 <li> 2183 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2184 docker-image|quay.io/argoproj/argocd@v2.14.17 2185 <span class="list-paths__item__arrow">›</span> 2186 openssh/openssh-client@1:9.6p1-3ubuntu13.13 2187 <span class="list-paths__item__arrow">›</span> 2188 shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 2189 2190 </span> 2191 2192 </li> 2193 <li> 2194 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2195 docker-image|quay.io/argoproj/argocd@v2.14.17 2196 <span class="list-paths__item__arrow">›</span> 2197 apt@2.8.3 2198 <span class="list-paths__item__arrow">›</span> 2199 adduser@3.137ubuntu1 2200 <span class="list-paths__item__arrow">›</span> 2201 shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 2202 2203 </span> 2204 2205 </li> 2206 <li> 2207 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2208 docker-image|quay.io/argoproj/argocd@v2.14.17 2209 <span class="list-paths__item__arrow">›</span> 2210 shadow/login@1:4.13+dfsg1-4ubuntu3.2 2211 2212 </span> 2213 2214 </li> 2215 </ul><!-- .list-paths --> 2216 2217 </div><!-- .card__section --> 2218 2219 <hr/> 2220 <!-- Overview --> 2221 <h2 id="nvd-description">NVD Description</h2> 2222 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>shadow</code> package and not the <code>shadow</code> package as distributed by <code>Ubuntu</code>.</em> 2223 <em>See <code>How to fix?</code> for <code>Ubuntu:24.04</code> relevant fixed versions and status.</em></p> 2224 <p>shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid.</p> 2225 <h2 id="remediation">Remediation</h2> 2226 <p>There is no fixed version for <code>Ubuntu:24.04</code> <code>shadow</code>.</p> 2227 <h2 id="references">References</h2> 2228 <ul> 2229 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-56433">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-56433</a></li> 2230 <li><a href="https://github.com/shadow-maint/shadow/blob/e2512d5741d4a44bdd81a8c2d0029b6222728cf0/etc/login.defs#L238-L241">https://github.com/shadow-maint/shadow/blob/e2512d5741d4a44bdd81a8c2d0029b6222728cf0/etc/login.defs#L238-L241</a></li> 2231 <li><a href="https://github.com/shadow-maint/shadow/issues/1157">https://github.com/shadow-maint/shadow/issues/1157</a></li> 2232 <li><a href="https://github.com/shadow-maint/shadow/releases/tag/4.4">https://github.com/shadow-maint/shadow/releases/tag/4.4</a></li> 2233 </ul> 2234 2235 <hr/> 2236 2237 <div class="cta card__cta"> 2238 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2404-SHADOW-8600509">More about this vulnerability</a></p> 2239 </div> 2240 2241 </div><!-- .card --> 2242 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 2243 <h2 class="card__title">Release of Invalid Pointer or Reference</h2> 2244 <div class="card__section"> 2245 2246 <div class="card__labels"> 2247 <div class="label label--low"> 2248 <span class="label__text">low severity</span> 2249 </div> 2250 </div> 2251 2252 <hr/> 2253 2254 <ul class="card__meta"> 2255 <li class="card__meta__item"> 2256 Manifest file: quay.io/argoproj/argocd:v2.14.17/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 2257 </li> 2258 <li class="card__meta__item"> 2259 Package Manager: ubuntu:24.04 2260 </li> 2261 <li class="card__meta__item"> 2262 Vulnerable module: 2263 2264 patch 2265 </li> 2266 2267 <li class="card__meta__item">Introduced through: 2268 2269 docker-image|quay.io/argoproj/argocd@v2.14.17 and patch@2.7.6-7build3 2270 2271 </li> 2272 </ul> 2273 2274 <hr/> 2275 2276 2277 <h3 class="card__section__title">Detailed paths</h3> 2278 2279 <ul class="card__meta__paths"> 2280 <li> 2281 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2282 docker-image|quay.io/argoproj/argocd@v2.14.17 2283 <span class="list-paths__item__arrow">›</span> 2284 patch@2.7.6-7build3 2285 2286 </span> 2287 2288 </li> 2289 </ul><!-- .list-paths --> 2290 2291 </div><!-- .card__section --> 2292 2293 <hr/> 2294 <!-- Overview --> 2295 <h2 id="nvd-description">NVD Description</h2> 2296 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>patch</code> package and not the <code>patch</code> package as distributed by <code>Ubuntu</code>.</em> 2297 <em>See <code>How to fix?</code> for <code>Ubuntu:24.04</code> relevant fixed versions and status.</em></p> 2298 <p>An Invalid Pointer vulnerability exists in GNU patch 2.7 via the another_hunk function, which causes a Denial of Service.</p> 2299 <h2 id="remediation">Remediation</h2> 2300 <p>There is no fixed version for <code>Ubuntu:24.04</code> <code>patch</code>.</p> 2301 <h2 id="references">References</h2> 2302 <ul> 2303 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-45261">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-45261</a></li> 2304 <li><a href="https://savannah.gnu.org/bugs/?61685">https://savannah.gnu.org/bugs/?61685</a></li> 2305 </ul> 2306 2307 <hr/> 2308 2309 <div class="cta card__cta"> 2310 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2404-PATCH-6707039">More about this vulnerability</a></p> 2311 </div> 2312 2313 </div><!-- .card --> 2314 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 2315 <h2 class="card__title">Double Free</h2> 2316 <div class="card__section"> 2317 2318 <div class="card__labels"> 2319 <div class="label label--low"> 2320 <span class="label__text">low severity</span> 2321 </div> 2322 </div> 2323 2324 <hr/> 2325 2326 <ul class="card__meta"> 2327 <li class="card__meta__item"> 2328 Manifest file: quay.io/argoproj/argocd:v2.14.17/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 2329 </li> 2330 <li class="card__meta__item"> 2331 Package Manager: ubuntu:24.04 2332 </li> 2333 <li class="card__meta__item"> 2334 Vulnerable module: 2335 2336 patch 2337 </li> 2338 2339 <li class="card__meta__item">Introduced through: 2340 2341 docker-image|quay.io/argoproj/argocd@v2.14.17 and patch@2.7.6-7build3 2342 2343 </li> 2344 </ul> 2345 2346 <hr/> 2347 2348 2349 <h3 class="card__section__title">Detailed paths</h3> 2350 2351 <ul class="card__meta__paths"> 2352 <li> 2353 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2354 docker-image|quay.io/argoproj/argocd@v2.14.17 2355 <span class="list-paths__item__arrow">›</span> 2356 patch@2.7.6-7build3 2357 2358 </span> 2359 2360 </li> 2361 </ul><!-- .list-paths --> 2362 2363 </div><!-- .card__section --> 2364 2365 <hr/> 2366 <!-- Overview --> 2367 <h2 id="nvd-description">NVD Description</h2> 2368 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>patch</code> package and not the <code>patch</code> package as distributed by <code>Ubuntu</code>.</em> 2369 <em>See <code>How to fix?</code> for <code>Ubuntu:24.04</code> relevant fixed versions and status.</em></p> 2370 <p>A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6.</p> 2371 <h2 id="remediation">Remediation</h2> 2372 <p>There is no fixed version for <code>Ubuntu:24.04</code> <code>patch</code>.</p> 2373 <h2 id="references">References</h2> 2374 <ul> 2375 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-6952">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-6952</a></li> 2376 <li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6952">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6952</a></li> 2377 <li><a href="https://security-tracker.debian.org/tracker/CVE-2018-6952">https://security-tracker.debian.org/tracker/CVE-2018-6952</a></li> 2378 <li><a href="https://security.gentoo.org/glsa/201904-17">https://security.gentoo.org/glsa/201904-17</a></li> 2379 <li><a href="https://savannah.gnu.org/bugs/index.php?53133">https://savannah.gnu.org/bugs/index.php?53133</a></li> 2380 <li><a href="https://access.redhat.com/errata/RHSA-2019:2033">https://access.redhat.com/errata/RHSA-2019:2033</a></li> 2381 <li><a href="http://www.securityfocus.com/bid/103047">http://www.securityfocus.com/bid/103047</a></li> 2382 </ul> 2383 2384 <hr/> 2385 2386 <div class="cta card__cta"> 2387 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2404-PATCH-6720551">More about this vulnerability</a></p> 2388 </div> 2389 2390 </div><!-- .card --> 2391 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 2392 <h2 class="card__title">CVE-2024-41996</h2> 2393 <div class="card__section"> 2394 2395 <div class="card__labels"> 2396 <div class="label label--low"> 2397 <span class="label__text">low severity</span> 2398 </div> 2399 </div> 2400 2401 <hr/> 2402 2403 <ul class="card__meta"> 2404 <li class="card__meta__item"> 2405 Manifest file: quay.io/argoproj/argocd:v2.14.17/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 2406 </li> 2407 <li class="card__meta__item"> 2408 Package Manager: ubuntu:24.04 2409 </li> 2410 <li class="card__meta__item"> 2411 Vulnerable module: 2412 2413 openssl/libssl3t64 2414 </li> 2415 2416 <li class="card__meta__item">Introduced through: 2417 2418 docker-image|quay.io/argoproj/argocd@v2.14.17 and openssl/libssl3t64@3.0.13-0ubuntu3.5 2419 2420 </li> 2421 </ul> 2422 2423 <hr/> 2424 2425 2426 <h3 class="card__section__title">Detailed paths</h3> 2427 2428 <ul class="card__meta__paths"> 2429 <li> 2430 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2431 docker-image|quay.io/argoproj/argocd@v2.14.17 2432 <span class="list-paths__item__arrow">›</span> 2433 openssl/libssl3t64@3.0.13-0ubuntu3.5 2434 2435 </span> 2436 2437 </li> 2438 <li> 2439 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2440 docker-image|quay.io/argoproj/argocd@v2.14.17 2441 <span class="list-paths__item__arrow">›</span> 2442 coreutils@9.4-3ubuntu6 2443 <span class="list-paths__item__arrow">›</span> 2444 openssl/libssl3t64@3.0.13-0ubuntu3.5 2445 2446 </span> 2447 2448 </li> 2449 <li> 2450 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2451 docker-image|quay.io/argoproj/argocd@v2.14.17 2452 <span class="list-paths__item__arrow">›</span> 2453 cyrus-sasl2/libsasl2-modules@2.1.28+dfsg1-5ubuntu3.1 2454 <span class="list-paths__item__arrow">›</span> 2455 openssl/libssl3t64@3.0.13-0ubuntu3.5 2456 2457 </span> 2458 2459 </li> 2460 <li> 2461 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2462 docker-image|quay.io/argoproj/argocd@v2.14.17 2463 <span class="list-paths__item__arrow">›</span> 2464 libfido2/libfido2-1@1.14.0-1build3 2465 <span class="list-paths__item__arrow">›</span> 2466 openssl/libssl3t64@3.0.13-0ubuntu3.5 2467 2468 </span> 2469 2470 </li> 2471 <li> 2472 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2473 docker-image|quay.io/argoproj/argocd@v2.14.17 2474 <span class="list-paths__item__arrow">›</span> 2475 openssh/openssh-client@1:9.6p1-3ubuntu13.13 2476 <span class="list-paths__item__arrow">›</span> 2477 openssl/libssl3t64@3.0.13-0ubuntu3.5 2478 2479 </span> 2480 2481 </li> 2482 <li> 2483 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2484 docker-image|quay.io/argoproj/argocd@v2.14.17 2485 <span class="list-paths__item__arrow">›</span> 2486 ca-certificates@20240203 2487 <span class="list-paths__item__arrow">›</span> 2488 openssl@3.0.13-0ubuntu3.5 2489 <span class="list-paths__item__arrow">›</span> 2490 openssl/libssl3t64@3.0.13-0ubuntu3.5 2491 2492 </span> 2493 2494 </li> 2495 <li> 2496 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2497 docker-image|quay.io/argoproj/argocd@v2.14.17 2498 <span class="list-paths__item__arrow">›</span> 2499 git@1:2.43.0-1ubuntu7.3 2500 <span class="list-paths__item__arrow">›</span> 2501 curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 2502 <span class="list-paths__item__arrow">›</span> 2503 libssh/libssh-4@0.10.6-2ubuntu0.1 2504 <span class="list-paths__item__arrow">›</span> 2505 openssl/libssl3t64@3.0.13-0ubuntu3.5 2506 2507 </span> 2508 2509 </li> 2510 <li> 2511 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2512 docker-image|quay.io/argoproj/argocd@v2.14.17 2513 <span class="list-paths__item__arrow">›</span> 2514 git@1:2.43.0-1ubuntu7.3 2515 <span class="list-paths__item__arrow">›</span> 2516 curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 2517 <span class="list-paths__item__arrow">›</span> 2518 krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.6 2519 <span class="list-paths__item__arrow">›</span> 2520 krb5/libkrb5-3@1.20.1-6ubuntu2.6 2521 <span class="list-paths__item__arrow">›</span> 2522 openssl/libssl3t64@3.0.13-0ubuntu3.5 2523 2524 </span> 2525 2526 </li> 2527 <li> 2528 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2529 docker-image|quay.io/argoproj/argocd@v2.14.17 2530 <span class="list-paths__item__arrow">›</span> 2531 git@1:2.43.0-1ubuntu7.3 2532 <span class="list-paths__item__arrow">›</span> 2533 curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 2534 <span class="list-paths__item__arrow">›</span> 2535 openldap/libldap2@2.6.7+dfsg-1~exp1ubuntu8.2 2536 <span class="list-paths__item__arrow">›</span> 2537 cyrus-sasl2/libsasl2-2@2.1.28+dfsg1-5ubuntu3.1 2538 <span class="list-paths__item__arrow">›</span> 2539 openssl/libssl3t64@3.0.13-0ubuntu3.5 2540 2541 </span> 2542 2543 </li> 2544 <li> 2545 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2546 docker-image|quay.io/argoproj/argocd@v2.14.17 2547 <span class="list-paths__item__arrow">›</span> 2548 openssl@3.0.13-0ubuntu3.5 2549 2550 </span> 2551 2552 </li> 2553 <li> 2554 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2555 docker-image|quay.io/argoproj/argocd@v2.14.17 2556 <span class="list-paths__item__arrow">›</span> 2557 ca-certificates@20240203 2558 <span class="list-paths__item__arrow">›</span> 2559 openssl@3.0.13-0ubuntu3.5 2560 2561 </span> 2562 2563 </li> 2564 </ul><!-- .list-paths --> 2565 2566 </div><!-- .card__section --> 2567 2568 <hr/> 2569 <!-- Overview --> 2570 <h2 id="nvd-description">NVD Description</h2> 2571 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>openssl</code> package and not the <code>openssl</code> package as distributed by <code>Ubuntu</code>.</em> 2572 <em>See <code>How to fix?</code> for <code>Ubuntu:24.04</code> relevant fixed versions and status.</em></p> 2573 <p>Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.</p> 2574 <h2 id="remediation">Remediation</h2> 2575 <p>There is no fixed version for <code>Ubuntu:24.04</code> <code>openssl</code>.</p> 2576 <h2 id="references">References</h2> 2577 <ul> 2578 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-41996">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-41996</a></li> 2579 <li><a href="https://dheatattack.gitlab.io/details/">https://dheatattack.gitlab.io/details/</a></li> 2580 <li><a href="https://dheatattack.gitlab.io/faq/">https://dheatattack.gitlab.io/faq/</a></li> 2581 <li><a href="https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1">https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1</a></li> 2582 </ul> 2583 2584 <hr/> 2585 2586 <div class="cta card__cta"> 2587 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2404-OPENSSL-7838291">More about this vulnerability</a></p> 2588 </div> 2589 2590 </div><!-- .card --> 2591 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 2592 <h2 class="card__title">Information Exposure</h2> 2593 <div class="card__section"> 2594 2595 <div class="card__labels"> 2596 <div class="label label--low"> 2597 <span class="label__text">low severity</span> 2598 </div> 2599 </div> 2600 2601 <hr/> 2602 2603 <ul class="card__meta"> 2604 <li class="card__meta__item"> 2605 Manifest file: quay.io/argoproj/argocd:v2.14.17/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 2606 </li> 2607 <li class="card__meta__item"> 2608 Package Manager: ubuntu:24.04 2609 </li> 2610 <li class="card__meta__item"> 2611 Vulnerable module: 2612 2613 libgcrypt20 2614 </li> 2615 2616 <li class="card__meta__item">Introduced through: 2617 2618 docker-image|quay.io/argoproj/argocd@v2.14.17 and libgcrypt20@1.10.3-2build1 2619 2620 </li> 2621 </ul> 2622 2623 <hr/> 2624 2625 2626 <h3 class="card__section__title">Detailed paths</h3> 2627 2628 <ul class="card__meta__paths"> 2629 <li> 2630 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2631 docker-image|quay.io/argoproj/argocd@v2.14.17 2632 <span class="list-paths__item__arrow">›</span> 2633 libgcrypt20@1.10.3-2build1 2634 2635 </span> 2636 2637 </li> 2638 <li> 2639 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2640 docker-image|quay.io/argoproj/argocd@v2.14.17 2641 <span class="list-paths__item__arrow">›</span> 2642 gnupg2/dirmngr@2.4.4-2ubuntu17.3 2643 <span class="list-paths__item__arrow">›</span> 2644 libgcrypt20@1.10.3-2build1 2645 2646 </span> 2647 2648 </li> 2649 <li> 2650 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2651 docker-image|quay.io/argoproj/argocd@v2.14.17 2652 <span class="list-paths__item__arrow">›</span> 2653 gnupg2/gpg@2.4.4-2ubuntu17.3 2654 <span class="list-paths__item__arrow">›</span> 2655 libgcrypt20@1.10.3-2build1 2656 2657 </span> 2658 2659 </li> 2660 <li> 2661 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2662 docker-image|quay.io/argoproj/argocd@v2.14.17 2663 <span class="list-paths__item__arrow">›</span> 2664 gnupg2/gpg-agent@2.4.4-2ubuntu17.3 2665 <span class="list-paths__item__arrow">›</span> 2666 libgcrypt20@1.10.3-2build1 2667 2668 </span> 2669 2670 </li> 2671 <li> 2672 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2673 docker-image|quay.io/argoproj/argocd@v2.14.17 2674 <span class="list-paths__item__arrow">›</span> 2675 apt@2.8.3 2676 <span class="list-paths__item__arrow">›</span> 2677 apt/libapt-pkg6.0t64@2.8.3 2678 <span class="list-paths__item__arrow">›</span> 2679 libgcrypt20@1.10.3-2build1 2680 2681 </span> 2682 2683 </li> 2684 <li> 2685 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2686 docker-image|quay.io/argoproj/argocd@v2.14.17 2687 <span class="list-paths__item__arrow">›</span> 2688 apt@2.8.3 2689 <span class="list-paths__item__arrow">›</span> 2690 gnupg2/gpgv@2.4.4-2ubuntu17.3 2691 <span class="list-paths__item__arrow">›</span> 2692 libgcrypt20@1.10.3-2build1 2693 2694 </span> 2695 2696 </li> 2697 <li> 2698 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2699 docker-image|quay.io/argoproj/argocd@v2.14.17 2700 <span class="list-paths__item__arrow">›</span> 2701 gnupg2/gpg@2.4.4-2ubuntu17.3 2702 <span class="list-paths__item__arrow">›</span> 2703 gnupg2/gpgconf@2.4.4-2ubuntu17.3 2704 <span class="list-paths__item__arrow">›</span> 2705 libgcrypt20@1.10.3-2build1 2706 2707 </span> 2708 2709 </li> 2710 <li> 2711 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2712 docker-image|quay.io/argoproj/argocd@v2.14.17 2713 <span class="list-paths__item__arrow">›</span> 2714 apt@2.8.3 2715 <span class="list-paths__item__arrow">›</span> 2716 adduser@3.137ubuntu1 2717 <span class="list-paths__item__arrow">›</span> 2718 shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 2719 <span class="list-paths__item__arrow">›</span> 2720 pam/libpam-modules@1.5.3-5ubuntu5.4 2721 <span class="list-paths__item__arrow">›</span> 2722 systemd/libsystemd0@255.4-1ubuntu8.10 2723 <span class="list-paths__item__arrow">›</span> 2724 libgcrypt20@1.10.3-2build1 2725 2726 </span> 2727 2728 </li> 2729 </ul><!-- .list-paths --> 2730 2731 </div><!-- .card__section --> 2732 2733 <hr/> 2734 <!-- Overview --> 2735 <h2 id="nvd-description">NVD Description</h2> 2736 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>libgcrypt20</code> package and not the <code>libgcrypt20</code> package as distributed by <code>Ubuntu</code>.</em> 2737 <em>See <code>How to fix?</code> for <code>Ubuntu:24.04</code> relevant fixed versions and status.</em></p> 2738 <p>A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.</p> 2739 <h2 id="remediation">Remediation</h2> 2740 <p>There is no fixed version for <code>Ubuntu:24.04</code> <code>libgcrypt20</code>.</p> 2741 <h2 id="references">References</h2> 2742 <ul> 2743 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-2236">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-2236</a></li> 2744 <li><a href="https://access.redhat.com/errata/RHSA-2024:9404">https://access.redhat.com/errata/RHSA-2024:9404</a></li> 2745 <li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=2268268">https://bugzilla.redhat.com/show_bug.cgi?id=2268268</a></li> 2746 <li><a href="https://access.redhat.com/errata/RHSA-2025:3534">https://access.redhat.com/errata/RHSA-2025:3534</a></li> 2747 <li><a href="https://access.redhat.com/errata/RHSA-2025:3530">https://access.redhat.com/errata/RHSA-2025:3530</a></li> 2748 <li><a href="https://access.redhat.com/security/cve/CVE-2024-2236">https://access.redhat.com/security/cve/CVE-2024-2236</a></li> 2749 <li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=2245218">https://bugzilla.redhat.com/show_bug.cgi?id=2245218</a></li> 2750 </ul> 2751 2752 <hr/> 2753 2754 <div class="cta card__cta"> 2755 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2404-LIBGCRYPT20-6693674">More about this vulnerability</a></p> 2756 </div> 2757 2758 </div><!-- .card --> 2759 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 2760 <h2 class="card__title">Out-of-bounds Write</h2> 2761 <div class="card__section"> 2762 2763 <div class="card__labels"> 2764 <div class="label label--low"> 2765 <span class="label__text">low severity</span> 2766 </div> 2767 </div> 2768 2769 <hr/> 2770 2771 <ul class="card__meta"> 2772 <li class="card__meta__item"> 2773 Manifest file: quay.io/argoproj/argocd:v2.14.17/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 2774 </li> 2775 <li class="card__meta__item"> 2776 Package Manager: ubuntu:24.04 2777 </li> 2778 <li class="card__meta__item"> 2779 Vulnerable module: 2780 2781 gnupg2/gpgv 2782 </li> 2783 2784 <li class="card__meta__item">Introduced through: 2785 2786 docker-image|quay.io/argoproj/argocd@v2.14.17 and gnupg2/gpgv@2.4.4-2ubuntu17.3 2787 2788 </li> 2789 </ul> 2790 2791 <hr/> 2792 2793 2794 <h3 class="card__section__title">Detailed paths</h3> 2795 2796 <ul class="card__meta__paths"> 2797 <li> 2798 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2799 docker-image|quay.io/argoproj/argocd@v2.14.17 2800 <span class="list-paths__item__arrow">›</span> 2801 gnupg2/gpgv@2.4.4-2ubuntu17.3 2802 2803 </span> 2804 2805 </li> 2806 <li> 2807 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2808 docker-image|quay.io/argoproj/argocd@v2.14.17 2809 <span class="list-paths__item__arrow">›</span> 2810 apt@2.8.3 2811 <span class="list-paths__item__arrow">›</span> 2812 gnupg2/gpgv@2.4.4-2ubuntu17.3 2813 2814 </span> 2815 2816 </li> 2817 <li> 2818 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2819 docker-image|quay.io/argoproj/argocd@v2.14.17 2820 <span class="list-paths__item__arrow">›</span> 2821 gnupg2/dirmngr@2.4.4-2ubuntu17.3 2822 <span class="list-paths__item__arrow">›</span> 2823 gnupg2/gpgconf@2.4.4-2ubuntu17.3 2824 2825 </span> 2826 2827 </li> 2828 <li> 2829 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2830 docker-image|quay.io/argoproj/argocd@v2.14.17 2831 <span class="list-paths__item__arrow">›</span> 2832 gnupg2/gpg-agent@2.4.4-2ubuntu17.3 2833 <span class="list-paths__item__arrow">›</span> 2834 gnupg2/gpgconf@2.4.4-2ubuntu17.3 2835 2836 </span> 2837 2838 </li> 2839 <li> 2840 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2841 docker-image|quay.io/argoproj/argocd@v2.14.17 2842 <span class="list-paths__item__arrow">›</span> 2843 gnupg2/gpg@2.4.4-2ubuntu17.3 2844 <span class="list-paths__item__arrow">›</span> 2845 gnupg2/gpgconf@2.4.4-2ubuntu17.3 2846 2847 </span> 2848 2849 </li> 2850 <li> 2851 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2852 docker-image|quay.io/argoproj/argocd@v2.14.17 2853 <span class="list-paths__item__arrow">›</span> 2854 gnupg2/dirmngr@2.4.4-2ubuntu17.3 2855 2856 </span> 2857 2858 </li> 2859 <li> 2860 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2861 docker-image|quay.io/argoproj/argocd@v2.14.17 2862 <span class="list-paths__item__arrow">›</span> 2863 gnupg2/gpg@2.4.4-2ubuntu17.3 2864 2865 </span> 2866 2867 </li> 2868 <li> 2869 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2870 docker-image|quay.io/argoproj/argocd@v2.14.17 2871 <span class="list-paths__item__arrow">›</span> 2872 gnupg2/gpg-agent@2.4.4-2ubuntu17.3 2873 2874 </span> 2875 2876 </li> 2877 </ul><!-- .list-paths --> 2878 2879 </div><!-- .card__section --> 2880 2881 <hr/> 2882 <!-- Overview --> 2883 <h2 id="nvd-description">NVD Description</h2> 2884 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>gnupg2</code> package and not the <code>gnupg2</code> package as distributed by <code>Ubuntu</code>.</em> 2885 <em>See <code>How to fix?</code> for <code>Ubuntu:24.04</code> relevant fixed versions and status.</em></p> 2886 <p>GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.</p> 2887 <h2 id="remediation">Remediation</h2> 2888 <p>There is no fixed version for <code>Ubuntu:24.04</code> <code>gnupg2</code>.</p> 2889 <h2 id="references">References</h2> 2890 <ul> 2891 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-3219">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-3219</a></li> 2892 <li><a href="https://access.redhat.com/security/cve/CVE-2022-3219">https://access.redhat.com/security/cve/CVE-2022-3219</a></li> 2893 <li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=2127010">https://bugzilla.redhat.com/show_bug.cgi?id=2127010</a></li> 2894 <li><a href="https://dev.gnupg.org/D556">https://dev.gnupg.org/D556</a></li> 2895 <li><a href="https://dev.gnupg.org/T5993">https://dev.gnupg.org/T5993</a></li> 2896 <li><a href="https://marc.info/?l=oss-security&m=165696590211434&w=4">https://marc.info/?l=oss-security&m=165696590211434&w=4</a></li> 2897 <li><a href="https://security.netapp.com/advisory/ntap-20230324-0001/">https://security.netapp.com/advisory/ntap-20230324-0001/</a></li> 2898 </ul> 2899 2900 <hr/> 2901 2902 <div class="cta card__cta"> 2903 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2404-GNUPG2-6702792">More about this vulnerability</a></p> 2904 </div> 2905 2906 </div><!-- .card --> 2907 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 2908 <h2 class="card__title">Allocation of Resources Without Limits or Throttling</h2> 2909 <div class="card__section"> 2910 2911 <div class="card__labels"> 2912 <div class="label label--low"> 2913 <span class="label__text">low severity</span> 2914 </div> 2915 </div> 2916 2917 <hr/> 2918 2919 <ul class="card__meta"> 2920 <li class="card__meta__item"> 2921 Manifest file: quay.io/argoproj/argocd:v2.14.17/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 2922 </li> 2923 <li class="card__meta__item"> 2924 Package Manager: ubuntu:24.04 2925 </li> 2926 <li class="card__meta__item"> 2927 Vulnerable module: 2928 2929 glibc/libc-bin 2930 </li> 2931 2932 <li class="card__meta__item">Introduced through: 2933 2934 docker-image|quay.io/argoproj/argocd@v2.14.17 and glibc/libc-bin@2.39-0ubuntu8.5 2935 2936 </li> 2937 </ul> 2938 2939 <hr/> 2940 2941 2942 <h3 class="card__section__title">Detailed paths</h3> 2943 2944 <ul class="card__meta__paths"> 2945 <li> 2946 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2947 docker-image|quay.io/argoproj/argocd@v2.14.17 2948 <span class="list-paths__item__arrow">›</span> 2949 glibc/libc-bin@2.39-0ubuntu8.5 2950 2951 </span> 2952 2953 </li> 2954 <li> 2955 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2956 docker-image|quay.io/argoproj/argocd@v2.14.17 2957 <span class="list-paths__item__arrow">›</span> 2958 glibc/libc6@2.39-0ubuntu8.5 2959 2960 </span> 2961 2962 </li> 2963 </ul><!-- .list-paths --> 2964 2965 </div><!-- .card__section --> 2966 2967 <hr/> 2968 <!-- Overview --> 2969 <h2 id="nvd-description">NVD Description</h2> 2970 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>glibc</code> package and not the <code>glibc</code> package as distributed by <code>Ubuntu</code>.</em> 2971 <em>See <code>How to fix?</code> for <code>Ubuntu:24.04</code> relevant fixed versions and status.</em></p> 2972 <p>sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.</p> 2973 <h2 id="remediation">Remediation</h2> 2974 <p>There is no fixed version for <code>Ubuntu:24.04</code> <code>glibc</code>.</p> 2975 <h2 id="references">References</h2> 2976 <ul> 2977 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-20013">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-20013</a></li> 2978 <li><a href="https://akkadia.org/drepper/SHA-crypt.txt">https://akkadia.org/drepper/SHA-crypt.txt</a></li> 2979 <li><a href="https://pthree.org/2018/05/23/do-not-use-sha256crypt-sha512crypt-theyre-dangerous/">https://pthree.org/2018/05/23/do-not-use-sha256crypt-sha512crypt-theyre-dangerous/</a></li> 2980 <li><a href="https://twitter.com/solardiz/status/795601240151457793">https://twitter.com/solardiz/status/795601240151457793</a></li> 2981 </ul> 2982 2983 <hr/> 2984 2985 <div class="cta card__cta"> 2986 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2404-GLIBC-6727419">More about this vulnerability</a></p> 2987 </div> 2988 2989 </div><!-- .card --> 2990 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 2991 <h2 class="card__title">CVE-2025-9086</h2> 2992 <div class="card__section"> 2993 2994 <div class="card__labels"> 2995 <div class="label label--low"> 2996 <span class="label__text">low severity</span> 2997 </div> 2998 </div> 2999 3000 <hr/> 3001 3002 <ul class="card__meta"> 3003 <li class="card__meta__item"> 3004 Manifest file: quay.io/argoproj/argocd:v2.14.17/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 3005 </li> 3006 <li class="card__meta__item"> 3007 Package Manager: ubuntu:24.04 3008 </li> 3009 <li class="card__meta__item"> 3010 Vulnerable module: 3011 3012 curl/libcurl3t64-gnutls 3013 </li> 3014 3015 <li class="card__meta__item">Introduced through: 3016 3017 3018 docker-image|quay.io/argoproj/argocd@v2.14.17, git@1:2.43.0-1ubuntu7.3 and others 3019 </li> 3020 </ul> 3021 3022 <hr/> 3023 3024 3025 <h3 class="card__section__title">Detailed paths</h3> 3026 3027 <ul class="card__meta__paths"> 3028 <li> 3029 <span class="list-paths__item__introduced"><em>Introduced through</em>: 3030 docker-image|quay.io/argoproj/argocd@v2.14.17 3031 <span class="list-paths__item__arrow">›</span> 3032 git@1:2.43.0-1ubuntu7.3 3033 <span class="list-paths__item__arrow">›</span> 3034 curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 3035 3036 </span> 3037 3038 </li> 3039 </ul><!-- .list-paths --> 3040 3041 </div><!-- .card__section --> 3042 3043 <hr/> 3044 <!-- Overview --> 3045 <h2 id="nvd-description">NVD Description</h2> 3046 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>curl</code> package and not the <code>curl</code> package as distributed by <code>Ubuntu</code>.</em> 3047 <em>See <code>How to fix?</code> for <code>Ubuntu:24.04</code> relevant fixed versions and status.</em></p> 3048 <ol> 3049 <li>A cookie is set using the <code>secure</code> keyword for <code>https://target</code></li> 3050 <li>curl is redirected to or otherwise made to speak with <code>http://target</code> (same 3051 hostname, but using clear text HTTP) using the same cookie set</li> 3052 <li>The same cookie name is set - but with just a slash as path (<code>path=&#39;/&#39;</code>). 3053 Since this site is not secure, the cookie <em>should</em> just be ignored.</li> 3054 <li>A bug in the path comparison logic makes curl read outside a heap buffer 3055 boundary</li> 3056 </ol> 3057 <p>The bug either causes a crash or it potentially makes the comparison come to 3058 the wrong conclusion and lets the clear-text site override the contents of the 3059 secure cookie, contrary to expectations and depending on the memory contents 3060 immediately following the single-byte allocation that holds the path.</p> 3061 <p>The presumed and correct behavior would be to plainly ignore the second set of 3062 the cookie since it was already set as secure on a secure host so overriding 3063 it on an insecure host should not be okay.</p> 3064 <h2 id="remediation">Remediation</h2> 3065 <p>There is no fixed version for <code>Ubuntu:24.04</code> <code>curl</code>.</p> 3066 <h2 id="references">References</h2> 3067 <ul> 3068 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-9086">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-9086</a></li> 3069 <li><a href="https://curl.se/docs/CVE-2025-9086.html">https://curl.se/docs/CVE-2025-9086.html</a></li> 3070 <li><a href="https://curl.se/docs/CVE-2025-9086.json">https://curl.se/docs/CVE-2025-9086.json</a></li> 3071 <li><a href="https://hackerone.com/reports/3294999">https://hackerone.com/reports/3294999</a></li> 3072 </ul> 3073 3074 <hr/> 3075 3076 <div class="cta card__cta"> 3077 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2404-CURL-12613443">More about this vulnerability</a></p> 3078 </div> 3079 3080 </div><!-- .card --> 3081 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 3082 <h2 class="card__title">CVE-2025-10148</h2> 3083 <div class="card__section"> 3084 3085 <div class="card__labels"> 3086 <div class="label label--low"> 3087 <span class="label__text">low severity</span> 3088 </div> 3089 </div> 3090 3091 <hr/> 3092 3093 <ul class="card__meta"> 3094 <li class="card__meta__item"> 3095 Manifest file: quay.io/argoproj/argocd:v2.14.17/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 3096 </li> 3097 <li class="card__meta__item"> 3098 Package Manager: ubuntu:24.04 3099 </li> 3100 <li class="card__meta__item"> 3101 Vulnerable module: 3102 3103 curl/libcurl3t64-gnutls 3104 </li> 3105 3106 <li class="card__meta__item">Introduced through: 3107 3108 3109 docker-image|quay.io/argoproj/argocd@v2.14.17, git@1:2.43.0-1ubuntu7.3 and others 3110 </li> 3111 </ul> 3112 3113 <hr/> 3114 3115 3116 <h3 class="card__section__title">Detailed paths</h3> 3117 3118 <ul class="card__meta__paths"> 3119 <li> 3120 <span class="list-paths__item__introduced"><em>Introduced through</em>: 3121 docker-image|quay.io/argoproj/argocd@v2.14.17 3122 <span class="list-paths__item__arrow">›</span> 3123 git@1:2.43.0-1ubuntu7.3 3124 <span class="list-paths__item__arrow">›</span> 3125 curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 3126 3127 </span> 3128 3129 </li> 3130 </ul><!-- .list-paths --> 3131 3132 </div><!-- .card__section --> 3133 3134 <hr/> 3135 <!-- Overview --> 3136 <h2 id="nvd-description">NVD Description</h2> 3137 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>curl</code> package and not the <code>curl</code> package as distributed by <code>Ubuntu</code>.</em> 3138 <em>See <code>How to fix?</code> for <code>Ubuntu:24.04</code> relevant fixed versions and status.</em></p> 3139 <p>curl's websocket code did not update the 32 bit mask pattern for each new 3140 outgoing frame as the specification says. Instead it used a fixed mask that 3141 persisted and was used throughout the entire connection.</p> 3142 <p>A predictable mask pattern allows for a malicious server to induce traffic 3143 between the two communicating parties that could be interpreted by an involved 3144 proxy (configured or transparent) as genuine, real, HTTP traffic with content 3145 and thereby poison its cache. That cached poisoned content could then be 3146 served to all users of that proxy.</p> 3147 <h2 id="remediation">Remediation</h2> 3148 <p>There is no fixed version for <code>Ubuntu:24.04</code> <code>curl</code>.</p> 3149 <h2 id="references">References</h2> 3150 <ul> 3151 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-10148">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-10148</a></li> 3152 <li><a href="https://curl.se/docs/CVE-2025-10148.html">https://curl.se/docs/CVE-2025-10148.html</a></li> 3153 <li><a href="https://curl.se/docs/CVE-2025-10148.json">https://curl.se/docs/CVE-2025-10148.json</a></li> 3154 <li><a href="https://hackerone.com/reports/3330839">https://hackerone.com/reports/3330839</a></li> 3155 </ul> 3156 3157 <hr/> 3158 3159 <div class="cta card__cta"> 3160 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2404-CURL-12613507">More about this vulnerability</a></p> 3161 </div> 3162 3163 </div><!-- .card --> 3164 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 3165 <h2 class="card__title">CVE-2025-0167</h2> 3166 <div class="card__section"> 3167 3168 <div class="card__labels"> 3169 <div class="label label--low"> 3170 <span class="label__text">low severity</span> 3171 </div> 3172 </div> 3173 3174 <hr/> 3175 3176 <ul class="card__meta"> 3177 <li class="card__meta__item"> 3178 Manifest file: quay.io/argoproj/argocd:v2.14.17/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 3179 </li> 3180 <li class="card__meta__item"> 3181 Package Manager: ubuntu:24.04 3182 </li> 3183 <li class="card__meta__item"> 3184 Vulnerable module: 3185 3186 curl/libcurl3t64-gnutls 3187 </li> 3188 3189 <li class="card__meta__item">Introduced through: 3190 3191 3192 docker-image|quay.io/argoproj/argocd@v2.14.17, git@1:2.43.0-1ubuntu7.3 and others 3193 </li> 3194 </ul> 3195 3196 <hr/> 3197 3198 3199 <h3 class="card__section__title">Detailed paths</h3> 3200 3201 <ul class="card__meta__paths"> 3202 <li> 3203 <span class="list-paths__item__introduced"><em>Introduced through</em>: 3204 docker-image|quay.io/argoproj/argocd@v2.14.17 3205 <span class="list-paths__item__arrow">›</span> 3206 git@1:2.43.0-1ubuntu7.3 3207 <span class="list-paths__item__arrow">›</span> 3208 curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 3209 3210 </span> 3211 3212 </li> 3213 </ul><!-- .list-paths --> 3214 3215 </div><!-- .card__section --> 3216 3217 <hr/> 3218 <!-- Overview --> 3219 <h2 id="nvd-description">NVD Description</h2> 3220 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>curl</code> package and not the <code>curl</code> package as distributed by <code>Ubuntu</code>.</em> 3221 <em>See <code>How to fix?</code> for <code>Ubuntu:24.04</code> relevant fixed versions and status.</em></p> 3222 <p>When asked to use a <code>.netrc</code> file for credentials <strong>and</strong> to follow HTTP 3223 redirects, curl could leak the password used for the first host to the 3224 followed-to host under certain circumstances.</p> 3225 <p>This flaw only manifests itself if the netrc file has a <code>default</code> entry that 3226 omits both login and password. A rare circumstance.</p> 3227 <h2 id="remediation">Remediation</h2> 3228 <p>There is no fixed version for <code>Ubuntu:24.04</code> <code>curl</code>.</p> 3229 <h2 id="references">References</h2> 3230 <ul> 3231 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-0167">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-0167</a></li> 3232 <li><a href="https://curl.se/docs/CVE-2025-0167.json">https://curl.se/docs/CVE-2025-0167.json</a></li> 3233 <li><a href="https://hackerone.com/reports/2917232">https://hackerone.com/reports/2917232</a></li> 3234 <li><a href="https://security.netapp.com/advisory/ntap-20250306-0008/">https://security.netapp.com/advisory/ntap-20250306-0008/</a></li> 3235 <li><a href="https://curl.se/docs/CVE-2025-0167.html">https://curl.se/docs/CVE-2025-0167.html</a></li> 3236 </ul> 3237 3238 <hr/> 3239 3240 <div class="cta card__cta"> 3241 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2404-CURL-8689015">More about this vulnerability</a></p> 3242 </div> 3243 3244 </div><!-- .card --> 3245 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 3246 <h2 class="card__title">Improper Input Validation</h2> 3247 <div class="card__section"> 3248 3249 <div class="card__labels"> 3250 <div class="label label--low"> 3251 <span class="label__text">low severity</span> 3252 </div> 3253 </div> 3254 3255 <hr/> 3256 3257 <ul class="card__meta"> 3258 <li class="card__meta__item"> 3259 Manifest file: quay.io/argoproj/argocd:v2.14.17/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 3260 </li> 3261 <li class="card__meta__item"> 3262 Package Manager: ubuntu:24.04 3263 </li> 3264 <li class="card__meta__item"> 3265 Vulnerable module: 3266 3267 coreutils 3268 </li> 3269 3270 <li class="card__meta__item">Introduced through: 3271 3272 docker-image|quay.io/argoproj/argocd@v2.14.17 and coreutils@9.4-3ubuntu6 3273 3274 </li> 3275 </ul> 3276 3277 <hr/> 3278 3279 3280 <h3 class="card__section__title">Detailed paths</h3> 3281 3282 <ul class="card__meta__paths"> 3283 <li> 3284 <span class="list-paths__item__introduced"><em>Introduced through</em>: 3285 docker-image|quay.io/argoproj/argocd@v2.14.17 3286 <span class="list-paths__item__arrow">›</span> 3287 coreutils@9.4-3ubuntu6 3288 3289 </span> 3290 3291 </li> 3292 </ul><!-- .list-paths --> 3293 3294 </div><!-- .card__section --> 3295 3296 <hr/> 3297 <!-- Overview --> 3298 <h2 id="nvd-description">NVD Description</h2> 3299 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>coreutils</code> package and not the <code>coreutils</code> package as distributed by <code>Ubuntu</code>.</em> 3300 <em>See <code>How to fix?</code> for <code>Ubuntu:24.04</code> relevant fixed versions and status.</em></p> 3301 <p>chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.</p> 3302 <h2 id="remediation">Remediation</h2> 3303 <p>There is no fixed version for <code>Ubuntu:24.04</code> <code>coreutils</code>.</p> 3304 <h2 id="references">References</h2> 3305 <ul> 3306 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-2781">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-2781</a></li> 3307 <li><a href="https://security-tracker.debian.org/tracker/CVE-2016-2781">https://security-tracker.debian.org/tracker/CVE-2016-2781</a></li> 3308 <li><a href="https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E">https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E</a></li> 3309 <li><a href="http://www.openwall.com/lists/oss-security/2016/02/28/2">http://www.openwall.com/lists/oss-security/2016/02/28/2</a></li> 3310 <li><a href="http://www.openwall.com/lists/oss-security/2016/02/28/3">http://www.openwall.com/lists/oss-security/2016/02/28/3</a></li> 3311 <li><a href="https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E">https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E</a></li> 3312 </ul> 3313 3314 <hr/> 3315 3316 <div class="cta card__cta"> 3317 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2404-COREUTILS-6727355">More about this vulnerability</a></p> 3318 </div> 3319 3320 </div><!-- .card --> 3321 </div><!-- cards --> 3322 </div> 3323 </main><!-- .layout-stacked__content --> 3324 </body> 3325 3326 </html>