Argo 2.13.3 has critical vulnerabilities - CVE-2025-21613 , CVE-2024-45337 #21452

mani5h-harness · 2025-01-10T14:05:27Z

Checklist:

I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
I've included steps to reproduce the bug.
I've pasted the output of argocd version.

Summary

There are two critical vulnerabilities in latest argo cd image 2.13.3 as per aqua trivy scanner
The vulnerabilities are in github.com/go-git/go-git/v5 and golang.org/x/cypto

Details

Response from Aqua trivy vulnerability scanner

github.com/go-git/go-git/v5 │ GHSA-v725-9546-7q7m │ CRITICAL │ │ v5.12.0 │ 5.13.0 │ go-git: argument injection via the URL field | https://avd.aquasec.com/nvd/cve-2025-21613

golang.org/x/crypto │ GHSA-v778-237x-gjrc │ CRITICAL │ │ v0.27.0 │ 0.31.0 │ golang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto | https://avd.aquasec.com/nvd/cve-2024-45337

To Reproduce

Expected behavior

Screenshots

Version

Paste the output from `argocd version` here.

Logs

Paste any relevant application logs here.

The text was updated successfully, but these errors were encountered:

mani5h-harness added the bug Something isn't working label Jan 10, 2025

crenshaw-dev mentioned this issue Jan 10, 2025

chore(deps): bump github.com/go-git/go-git/v5 from 5.12.0 to 5.13.0 (cherry-pick #21329) #21401

Merged

agaudreault added component:security version:2.13 Latest confirmed affected version is 2.13 labels Jan 15, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Argo 2.13.3 has critical vulnerabilities - CVE-2025-21613 , CVE-2024-45337 #21452

Argo 2.13.3 has critical vulnerabilities - CVE-2025-21613 , CVE-2024-45337 #21452

mani5h-harness commented Jan 10, 2025

Argo 2.13.3 has critical vulnerabilities - CVE-2025-21613 , CVE-2024-45337 #21452

Argo 2.13.3 has critical vulnerabilities - CVE-2025-21613 , CVE-2024-45337 #21452

Comments

mani5h-harness commented Jan 10, 2025