CRITICAL10.0CVE-2022-29165Argo CD will blindly trust JWT claims if anonymous access is enabled in github.com/argoproj/argo-cd from 0, < 2.1.15, >= 2.2.0, < 2.2.9, >= 2.3.0, < 2.3.4
CRITICAL10.0CVE-2022-29165Argo CD will blindly trust JWT claims if anonymous access is enabled in github.com/argoproj/argo-cd >= 2.3.0, < 2.3.4
CRITICAL9.9Argo CD: Project API Token Exposes Repository Credentials
>= 2.13.0, < 2.13.9, >= 2.14.0, < 2.14.16
CRITICAL9.9Argo CD: Project API Token Exposes Repository Credentials
>= 2.13.0, < 2.13.9
CRITICAL9.9Argo CD cluster secret might leak in cluster details page in github.com/argoproj/argo-cd
>= 2.2.0, < 2.6.15
CRITICAL9.9Argo CD cluster secret might leak in cluster details page in github.com/argoproj/argo-cd
>= 2.2.0, < 2.6.15, >= 2.7.0, < 2.7.14, >= 2.8.0, < 2.8.3
CRITICAL9.9Improper access control allows admin privilege escalation in Argo CD in github.com/argoproj/argo-cd
from 0, < 2.1.14, >= 2.2.0, < 2.2.8, >= 2.3.0, < 2.3.2
CRITICAL9.1Users with any cluster secret update access may update out-of-bounds cluster secrets in github.com/argoproj/argo-cd
>= 2.3.0, < 2.3.17, >= 2.4.0, < 2.4.23, >= 2.5.0, < 2.5.11, >= 2.6.0, < 2.6.2
CRITICAL9.0Argo CD allows cross-site scripting on repositories page
>= 2.0.0-rc3, < 2.13.8
CRITICAL9.0Argo CD allows cross-site scripting on repositories page
>= 2.0.0-rc3, < 2.13.8, >= 2.14.0-rc1, < 2.14.13
CRITICAL9.0ArgoCD Vulnerable to Use of Risky or Missing Cryptographic Algorithms in Redis Cache
from 0, < 2.8.19, >= 2.9.0-rc1, < 2.9.15, >= 2.10.0-rc1, < 2.10.10, >= 2.11.0-rc1, < 2.11.1
CRITICAL9.0ArgoCD Vulnerable to Use of Risky or Missing Cryptographic Algorithms in Redis Cache
from 0, < 2.8.19
CRITICAL9.0Cross-site scripting on application summary component in argo-cd
>= 2.9.0, < 2.9.8
CRITICAL9.0Cross-site scripting on application summary component in argo-cd
>= 2.0.0, < 2.8.12, >= 2.9.0, < 2.9.8, >= 2.10.0, < 2.10.3
CRITICAL9.0JWT audience claim is not verified in github.com/argoproj/argo-cd
from 0, < 2.3.14, >= 2.4.0, < 2.4.20, >= 2.5.0, < 2.5.8, >= 2.6.0-rc1, < 2.6.0-rc5
CRITICAL9.0Argo CD's external URLs for Deployments can include JavaScript in github.com/argoproj/argo-cd
from 0, < 2.1.16
CRITICAL9.0Argo CD's external URLs for Deployments can include JavaScript in github.com/argoproj/argo-cd
from 0, < 2.1.16, >= 2.2.0, < 2.2.10, >= 2.3.0, < 2.3.5, >= 2.4.0, < 2.4.1
HIGH8.8Argo CD improper access control bug can allow malicious user to escalate privileges to admin level in github.com/argoproj/argo-cd
from 0, < 2.1.14, >= 2.2.0, < 2.2.8, >= 2.3.0, < 2.3.2
HIGH8.8Argo CD improper access control bug can allow malicious user to escalate privileges to admin level in github.com/argoproj/argo-cd
from 0, < 2.1.14
HIGH8.5Controller reconciles apps outside configured namespaces when sharding is enabled in github.com/argoproj/argo-cd
>= 2.5.0-rc1, < 2.5.8, >= 2.6.0-rc4, < 2.6.0-rc5
HIGH8.5Controller reconciles apps outside configured namespaces when sharding is enabled in github.com/argoproj/argo-cd
>= 2.5.0-rc1, < 2.5.8
HIGH8.3github.com/argoproj/argo-cd Cross-Site Request Forgery vulnerability
from 0, < 2.7.16
HIGH8.3Argo CD certificate verification is skipped for connections to OIDC providers in github.com/argoproj/argo-cd
from 0, < 2.2.11, >= 2.3.0, < 2.3.6, >= 2.4.0, < 2.4.5
HIGH8.3Insecure entropy in Argo CD's PKCE/Oauth2/OIDC params in github.com/argoproj/argo-cd
from 0, < 2.1.16, >= 2.2.0, < 2.2.10, >= 2.3.0, < 2.3.5, >= 2.4.0, < 2.4.1
HIGH8.3Insecure entropy in Argo CD's PKCE/Oauth2/OIDC params in github.com/argoproj/argo-cd
from 0, < 2.1.16
HIGH7.7Path traversal and improper access control allows leaking out-of-bound files from Argo CD repo-server in github.com/argoproj/argo-cd
from 0, < 2.1.11, >= 2.2.0, < 2.2.6, >= 2.3.0-rc1, < 2.3.0
HIGH7.7Path traversal and dereference of symlinks in Argo CD in github.com/argoproj/argo-cd
from 0, < 2.1.9
HIGH7.7Path traversal and dereference of symlinks in Argo CD in github.com/argoproj/argo-cd
from 0, < 2.1.9, >= 2.2.0, < 2.2.4
HIGH7.5Argo CD is Vulnerable to Unauthenticated Remote DoS via malformed Azure DevOps git.push webhook
>= 2.9.0-rc1, < 2.14.20
HIGH7.5Argo CD is Vulnerable to Unauthenticated Remote DoS via malformed Azure DevOps git.push webhook
>= 2.9.0-rc1, < 2.14.20
HIGH7.5argo-cd is vulnerable to unauthenticated DoS attack via malformed Gogs webhook payload
>= 2.0.0-rc1, < 2.14.20
HIGH7.5argo-cd is vulnerable to unauthenticated DoS attack via malformed Gogs webhook payload
from 0, < 2.14.20
HIGH7.5Unauthenticated argocd-server panic via a malicious Bitbucket-Server webhook payload
>= 2.0.0-rc1, < 2.14.20
HIGH7.5Unauthenticated argocd-server panic via a malicious Bitbucket-Server webhook payload
from 0, < 2.14.20
HIGH7.5Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint
from 0, < 2.9.20
HIGH7.5Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint
from 0, < 2.9.20, >= 2.10.0, < 2.10.15, >= 2.11.0, < 2.11.6
HIGH7.5Argo CD Denial of Service (DoS) Vulnerability Due to Unsafe Array Modification in Multi-threaded Environment
from 0, < 2.8.13, >= 2.9.0, < 2.9.9, >= 2.10.0, < 2.10.4
HIGH7.5Argo CD Denial of Service (DoS) Vulnerability Due to Unsafe Array Modification in Multi-threaded Environment
from 0, < 2.8.13
HIGH7.3Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation
from 0, <= 2.14.21
HIGH7.1Argo CD web terminal session doesn't expire in github.com/argoproj/argo-cd
>= 2.6.0, < 2.6.14, >= 2.7.0, < 2.7.12, >= 2.8.0, < 2.8.1
HIGH7.1Argo CD web terminal session doesn't expire in github.com/argoproj/argo-cd
>= 2.6.0, < 2.6.14
MEDIUM6.8Argo CD does not scrub secret values from patch errors
>= 2.13.0, < 2.13.4
MEDIUM6.8Argo CD does not scrub secret values from patch errors
from 0, < 2.11.13, >= 2.12.0, < 2.12.10, >= 2.13.0, < 2.13.4
MEDIUM6.8Path traversal allows leaking out-of-bound files from Argo CD repo-server in github.com/argoproj/argo-cd
from 0, < 2.1.11, >= 2.2.0, < 2.2.6, >= 2.3.0-rc1, < 2.3.0
MEDIUM6.5Repository Credentials Race Condition Crashes Argo CD Server
>= 2.1.0, < 2.14.20
MEDIUM6.5Repository Credentials Race Condition Crashes Argo CD Server
>= 2.1.0, < 2.14.20
MEDIUM6.5Denial of Service via malicious jqPathExpressions in ignoreDifferences
>= 2.10.0, < 2.10.8
MEDIUM6.5Denial of Service via malicious jqPathExpressions in ignoreDifferences
from 0, < 2.8.17, >= 2.9.0, < 2.9.13, >= 2.10.0, < 2.10.8
MEDIUM6.5Uncontrolled Resource Consumption vulnerability in ArgoCD's repo server
>= 2.4.0, < 2.8.14, >= 2.9.0, < 2.9.10, >= 2.10.0, < 2.10.5
MEDIUM6.5Uncontrolled Resource Consumption vulnerability in ArgoCD's repo server
>= 2.4.0, < 2.8.14
MEDIUM6.5Argo CD repo-server Denial of Service vulnerability in github.com/argoproj/argo-cd
>= 2.4.0, < 2.6.15
MEDIUM6.5Argo CD repo-server Denial of Service vulnerability in github.com/argoproj/argo-cd
>= 2.4.0, < 2.6.15, >= 2.7.0, < 2.7.14, >= 2.8.0, < 2.8.3
MEDIUM6.5DoS through large manifest files in Argo CD in github.com/argoproj/argo-cd
from 0, < 2.1.16
MEDIUM6.5DoS through large manifest files in Argo CD in github.com/argoproj/argo-cd
from 0, < 2.1.16, >= 2.2.0, < 2.2.10, >= 2.3.0, < 2.3.5, >= 2.4.0, < 2.4.1
MEDIUM6.4Users with `create` but not `override` privileges can perform local sync in argo-cd
>= 2.0.0, < 2.8.12, >= 2.9.0, < 2.9.8, >= 2.10.0, < 2.10.3
MEDIUM6.4Users with `create` but not `override` privileges can perform local sync in argo-cd
>= 2.9.0, < 2.9.8
MEDIUM6.3Repository access credential leak in github.com/argoproj/argo-cd/v2
>= 2.6.0-rc1, < 2.6.1
MEDIUM6.3Repository access credential leak in github.com/argoproj/argo-cd/v2
>= 2.6.0-rc1, < 2.6.1
MEDIUM5.4Argo CD vulnerable to Bypassing of Rate Limit and Brute Force Protection Using Cache Overflow
from 0, < 2.8.13
MEDIUM5.4Argo CD vulnerable to Bypassing of Rate Limit and Brute Force Protection Using Cache Overflow
from 0, < 2.8.13
MEDIUM5.4Argo CD vulnerable to Bypassing of Rate Limit and Brute Force Protection Using Cache Overflow
from 0, < 2.8.13, >= 2.9.0, < 2.9.9, >= 2.10.0, < 2.10.4
MEDIUM5.3Unauthenticated Access to sensitive settings in Argo CD
>= 2.9.3, < 2.9.17, >= 2.10.0, < 2.10.12, >= 2.11.0, < 2.11.3
MEDIUM5.3Argo CD authenticated but unauthorized users may enumerate Application names via the API in github.com/argoproj/argo-cd
from 0, < 2.4.28, >= 2.5.0, < 2.5.16, >= 2.6.0, < 2.6.7
MEDIUM5.3Argo CD authenticated but unauthorized users may enumerate Application names via the API in github.com/argoproj/argo-cd
>= 2.5.0, < 2.5.16
MEDIUM5.0Path traversal allows leaking out-of-bound Helm charts from Argo CD repo-server in github.com/argoproj/argo-cd
from 0, < 2.3.0
MEDIUM5.0Path traversal allows leaking out-of-bound Helm charts from Argo CD repo-server in github.com/argoproj/argo-cd
from 0, < 2.3.0
MEDIUM4.8Argo CD' API server does not enforce project sourceNamespaces
>= 2.4.0, < 2.8.16, >= 2.9.0, < 2.9.12, >= 2.10.0, < 2.10.7
MEDIUM4.8Argo CD' API server does not enforce project sourceNamespaces
>= 2.4.0, < 2.8.16
MEDIUM4.7The Argo CD web terminal session does not handle the revocation of user permissions properly.
>= 2.6.0, < 2.9.21, >= 2.10.0, < 2.10.16, >= 2.11.0, < 2.11.7
MEDIUM4.7The Argo CD web terminal session does not handle the revocation of user permissions properly.
>= 2.6.0, < 2.9.21
MEDIUM4.7Possible XSS when using SSO with the CLI in github.com/argoproj/argo-cd
from 0, < 1.7.13
MEDIUM4.3Argo CD allows authenticated users to enumerate clusters by name
from 0, < 2.9.17, >= 2.10.0, < 2.10.12, >= 2.11.0, < 2.11.3
MEDIUM4.3Symlink following allows leaking out-of-bounds YAML files from Argo CD repo-server in github.com/argoproj/argo-cd
from 0, < 2.1.16, >= 2.2.0, < 2.2.10, >= 2.3.0, < 2.3.5, >= 2.4.0, < 2.4.1
MEDIUM4.3Symlink following allows leaking out-of-bounds YAML files from Argo CD repo-server in github.com/argoproj/argo-cd
from 0, < 2.1.16
MEDIUM4.3Login screen allows message spoofing if SSO is enabled in github.com/argoproj/argo-cd
>= 2.0.0, < 2.1.15, >= 2.2.0, < 2.2.9, >= 2.3.0, < 2.3.4
MEDIUM4.3Login screen allows message spoofing if SSO is enabled in github.com/argoproj/argo-cd
>= 2.3.0, < 2.3.4
MEDIUM4.3Symlink following allows leaking out-of-bound manifests and JSON files from Argo CD repo-server in github.com/argoproj/argo-cd
from 0, < 2.1.15, >= 2.2.0, < 2.2.9, >= 2.3.0, < 2.3.4
MEDIUM4.3Symlink following allows leaking out-of-bound manifests and JSON files from Argo CD repo-server in github.com/argoproj/argo-cd
from 0, < 2.1.15
LOW2.6Argo CD SSO users vulnerable to Cross-site Scripting in github.com/argoproj/argo-cd
>= 2.3.0, < 2.3.6, >= 2.4.0, < 2.4.5