Snyk test report
- quay.io/argoproj/argocd:v3.2.12/argoproj/argocd/Dockerfile (deb)
- quay.io/argoproj/argocd:v3.2.12/argoproj/argo-cd/v3//usr/local/bin/argocd (gomodules)
- quay.io/argoproj/argocd:v3.2.12//usr/local/bin/kustomize (gomodules)
- quay.io/argoproj/argocd:v3.2.12/helm/v3//usr/local/bin/helm (gomodules)
- quay.io/argoproj/argocd:v3.2.12/git-lfs/git-lfs//usr/bin/git-lfs (gomodules)
Incorrect Authorization
Detailed paths
Overview
Affected versions of this package are vulnerable to Incorrect Authorization in the processing of HTTP/2 :path pseudo-headers in handleStream(). An attacker can gain unauthorized access to restricted resources by sending requests with malformed :path headers that omit the leading slash. This is only exploitable if the server uses path-based authorization interceptors, has deny rules that use canonical paths with leading slashes, and has a fallback allow rule in its policy.
Workaround
This vulnerability can be mitigated by adding a validating interceptor that rejects requests with malformed paths, configuring infrastructure (such as reverse proxies) to enforce strict HTTP/2 compliance, or switching to a default-deny authorization policy.
Remediation
Upgrade google.golang.org/grpc to version 1.79.3 or higher.
References
Infinite loop
Detailed paths
Overview
golang.org/x/net/http2 is a work-in-progress HTTP/2 implementation for Go.
Affected versions of this package are vulnerable to Infinite loop.
Go Vulnerability Report:
When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.
Remediation
Upgrade golang.org/x/net/http2 to version 0.53.0 or higher.
References
Improper Check for Certificate Revocation
Detailed paths
Overview
Affected versions of this package are vulnerable to Improper Check for Certificate Revocation in the SignatureKey verification process. An attacker can bypass revocation enforcement by presenting a certificate with a revoked SignatureKey, potentially allowing unauthorized access or trust to be established.
Remediation
Upgrade golang.org/x/crypto/ssh/knownhosts to version 0.52.0 or higher.
References
Incorrect Type Conversion or Cast
Detailed paths
Overview
Affected versions of this package are vulnerable to Incorrect Type Conversion or Cast due to the improper handling of crafted input data in the ed25519.PrivateKey component. An attacker can cause the client to panic by supplying malformed wire bytes.
Remediation
Upgrade golang.org/x/crypto/ssh/agent to version 0.52.0 or higher.
References
Missing Release of Resource after Effective Lifetime
Detailed paths
Overview
golang.org/x/crypto/ssh is a SSH client and server
Affected versions of this package are vulnerable to Missing Release of Resource after Effective Lifetime through the repeated opening of channels by an authenticated SSH client that are subsequently rejected by the server. An attacker can cause unbounded memory growth and crash the server process by continuously triggering channel rejections.
Remediation
Upgrade golang.org/x/crypto/ssh to version 0.52.0 or higher.
References
Improper Authentication
Detailed paths
Overview
golang.org/x/crypto/ssh is a SSH client and server
Affected versions of this package are vulnerable to Improper Authentication due to the Verify method not checking the User Presence flag in FIDO/U2F security key types. An attacker can perform unauthorized authentication by generating signatures without requiring physical interaction with the hardware security key.
Remediation
Upgrade golang.org/x/crypto/ssh to version 0.52.0 or higher.
References
Incorrect Type Conversion or Cast
Detailed paths
Overview
golang.org/x/crypto/ssh is a SSH client and server
Affected versions of this package are vulnerable to Incorrect Type Conversion or Cast due to an incorrectly placed cast from bytes to int in the AES-GCM packet decoder process. An attacker can cause a server-side panic by sending specially crafted inputs.
Remediation
Upgrade golang.org/x/crypto/ssh to version 0.52.0 or higher.
References
Uncaught Exception
Detailed paths
Overview
golang.org/x/crypto/ssh is a SSH client and server
Affected versions of this package are vulnerable to Uncaught Exception in the CertChecker component when used as a public key callback without setting IsUserAuthority or IsHostAuthority. An attacker can cause the server to panic by presenting a crafted certificate.
Note:
This is only exploitable if both IsUserAuthority and IsHostAuthority are not set in the server configuration.
Remediation
Upgrade golang.org/x/crypto/ssh to version 0.52.0 or higher.
References
Untrusted Search Path
Detailed paths
Overview
Affected versions of this package are vulnerable to Untrusted Search Path in resource detection code which executes ioreg, when the PATH environment variable is modified to include a malicious executable. An attacker can execute arbitrary code within the context of the application by placing a malicious binary earlier in the search path.
Note: This vulnerability is only exploitable on MacOS/Darwin systems.
Remediation
Upgrade go.opentelemetry.io/otel/sdk/resource to version 1.40.0 or higher.
References
Untrusted Search Path
Detailed paths
Overview
Affected versions of this package are vulnerable to Untrusted Search Path through the hostIDReaderBSD.read function in sdk/resource/host_id.go. An attacker can execute a malicious kenv binary by placing it earlier in $PATH and triggering host ID detection on BSD or Solaris systems when /etc/hostid is absent. When an application initializes OpenTelemetry resource detection under those conditions, it runs the attacker-controlled command in the application's context, allowing local code execution and compromising the process running the Go application.
Remediation
Upgrade go.opentelemetry.io/otel/sdk/resource to version 1.43.0 or higher.
References
Allocation of Resources Without Limits or Throttling
Detailed paths
Overview
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the baggage header extraction process. An attacker can cause excessive CPU and memory allocations by sending numerous baggage header lines, even if each individual value remains within the allowed size limit.
Remediation
Upgrade go.opentelemetry.io/otel/propagation to version 1.41.0 or higher.
References
Allocation of Resources Without Limits or Throttling
Detailed paths
Overview
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the baggage header extraction process. An attacker can cause excessive CPU and memory allocations by sending numerous baggage header lines, even if each individual value remains within the allowed size limit.
Remediation
Upgrade go.opentelemetry.io/otel/internal/global to version 1.41.0 or higher.
References
Allocation of Resources Without Limits or Throttling
Detailed paths
Overview
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the lack of validation on attacker-controlled counts and lengths in the SPDY/3 frame parser. An attacker can exhaust process memory and cause an out-of-memory crash by sending a single crafted control frame with compressed header blocks that decompress into large allocation sizes.
Remediation
Upgrade github.com/moby/spdystream/spdy to version 0.5.1 or higher.
References
Uncaught Exception
Detailed paths
Overview
Affected versions of this package are vulnerable to Uncaught Exception in the cipher.KeyUnwrap function when decrypting a JSON Web Encryption (JWE) object with a key wrapping algorithm (ending in 'KW', except for 'A128GCMKW', 'A192GCMKW', and 'A256GCMKW') and the encrypted_key field is empty. An attacker can cause a panic and disrupt service by submitting a crafted JWE object with an empty encrypted_key field or by directly invoking cipher.KeyUnwrap with a ciphertext parameter less than 16 bytes long.
Note:
This is only exploitable if the list of accepted key algorithms includes key wrapping algorithms.
Workaround
This vulnerability can be mitigated by prevalidating JWE objects to ensure the encrypted_key field is nonempty, or by excluding key wrapping algorithms from the list of accepted key algorithms.
Remediation
Upgrade github.com/go-jose/go-jose/v4 to version 4.1.4 or higher.
References
Insufficiently Protected Credentials
Detailed paths
Overview
Affected versions of this package are vulnerable to Insufficiently Protected Credentials in the advertisedReferences() function. The headers - including Authorization headers - from an initial /info/refs request are forwarded to redirect targets. An attacker can obtain authentication credentials by controlling a redirect target, and those credentials may be reused on other endpoints or attempted against other repositories owned by the victim. This is only exploitable if the client interacts with untrusted or misconfigured remote servers, or uses HTTP (not HTTPS) connections.
Remediation
Upgrade github.com/go-git/go-git/v5/plumbing/transport/http to version 5.18.0 or higher.
References
Incorrect Behavior Order: Validate Before Canonicalize
Detailed paths
Overview
Affected versions of this package are vulnerable to Incorrect Behavior Order: Validate Before Canonicalize in the parsing of Git objects with malformed or ambiguous commit or tag objects. An attacker can cause inconsistent interpretation of object metadata or signature validation by introducing specially crafted objects that are parsed differently than by upstream Git, potentially leading to the acceptance of commits with misleading or unintended metadata.
Remediation
Upgrade github.com/go-git/go-git/v5/plumbing/object to version 5.19.0 or higher.
References
Inefficient Algorithmic Complexity
Detailed paths
Overview
golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.
Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity via the html.Parse function due to quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
Remediation
Upgrade golang.org/x/net/html to version 0.45.0 or higher.
References
Infinite loop
Detailed paths
Overview
golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.
Affected versions of this package are vulnerable to Infinite loop via the html.Parse function. An attacker can cause resource exhaustion and disrupt service availability by submitting specially crafted HTML input that triggers an infinite parsing loop.
Remediation
Upgrade golang.org/x/net/html to version 0.45.0 or higher.
References
Improper Check for Dropped Privileges
Detailed paths
Overview
Affected versions of this package are vulnerable to Improper Check for Dropped Privileges due to the omission of constraint extensions such as restrict-destination-v00@openssh.com when adding a key to a remote agent. An attacker can bypass intended key usage restrictions by forwarding keys without the associated constraints, enabling unrestricted use of the key on the remote host.
Remediation
Upgrade golang.org/x/crypto/ssh/agent to version 0.52.0 or higher.
References
Missing Authorization
Detailed paths
Overview
Affected versions of this package are vulnerable to Missing Authorization due to the NewKeyring function not enforcing the ConfirmBeforeUse constraint. An attacker can perform unauthorized signing operations by adding keys with constraints that are silently ignored.
Remediation
Upgrade golang.org/x/crypto/ssh/agent to version 0.52.0 or higher.
References
Allocation of Resources Without Limits or Throttling
Detailed paths
Overview
golang.org/x/crypto/ssh is a SSH client and server
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the public key parsers. An attacker can exhaust CPU resources by submitting crafted RSA or DSA public keys with excessively large parameters during signature verification. This can be triggered by unauthenticated clients during public key authentication.
Remediation
Upgrade golang.org/x/crypto/ssh to version 0.52.0 or higher.
References
Integer Overflow or Wraparound
Detailed paths
Overview
golang.org/x/crypto/ssh is a SSH client and server
Affected versions of this package are vulnerable to Integer Overflow or Wraparound in the payload size calculation within the Write process. An attacker can cause the process to enter an infinite loop and exhaust system resources by sending a single write operation with data larger than 4GB.
Remediation
Upgrade golang.org/x/crypto/ssh to version 0.52.0 or higher.
References
Missing Release of Resource after Effective Lifetime
Detailed paths
Overview
golang.org/x/crypto/ssh is a SSH client and server
Affected versions of this package are vulnerable to Missing Release of Resource after Effective Lifetime through the handling of unsolicited global request responses, which can fill an internal buffer and block the connection's read loop. An attacker can cause a resource leak and prevent the release of blocked goroutines by sending unexpected responses.
Remediation
Upgrade golang.org/x/crypto/ssh to version 0.52.0 or higher.
References
Incorrect Authorization
Detailed paths
Overview
golang.org/x/crypto/ssh is a SSH client and server
Affected versions of this package are vulnerable to Incorrect Authorization. When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.
Remediation
Upgrade golang.org/x/crypto/ssh to version 0.52.0 or higher.
References
Incorrect Authorization
Detailed paths
Overview
golang.org/x/crypto/ssh is a SSH client and server
Affected versions of this package are vulnerable to Incorrect Authorization due to improper enforcement of permissions in the VerifiedPublicKeyCallback process. An attacker can bypass source-address validation by passing a callback type other than public key.
Remediation
Upgrade golang.org/x/crypto/ssh to version 0.52.0 or higher.
References
Improper Validation of Specified Type of Input
Detailed paths
Overview
Affected versions of this package are vulnerable to Improper Validation of Specified Type of Input in the calls plugin when handling websocket messages containing malformed msgpack frames. An attacker can cause the server to consume excessive memory and crash by sending specially crafted websocket requests.
Remediation
There is no fixed version for github.com/vmihailenco/msgpack/v5.
References
Directory Traversal
Detailed paths
Overview
Affected versions of this package are vulnerable to Directory Traversal due to improper path validation in the repository checkout process. An attacker can modify files outside the intended target directory, including .git directories, by supplying a maliciously crafted repository payload. This is only exploitable if the repository is cloned or checked out from untrusted sources and the .git directory is stored within the same filesystem as the worktree, particularly when submodules are present.
Details
A Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with "dot-dot-slash (../)" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.
Directory Traversal vulnerabilities can be generally divided into two types:
- Information Disclosure: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.
st is a module for serving static files on web pages, and contains a vulnerability of this type. In our example, we will serve files from the public route.
If an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.
curl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa
Note %2e is the URL encoded version of . (dot).
- Writing arbitrary files: Allows the attacker to create or replace existing files. This type of vulnerability is also known as
Zip-Slip.
One way to achieve this is by using a malicious zip archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.
The following is an example of a zip archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in /root/.ssh/ overwriting the authorized_keys file:
2018-04-15 22:04:29 ..... 19 19 good.txt
2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys
Remediation
Upgrade github.com/go-git/go-git/v5/storage/filesystem/dotgit to version 5.19.1, 6.0.0-alpha.4 or higher.
References
Improper Validation of Integrity Check Value
Detailed paths
Overview
Affected versions of this package are vulnerable to Improper Validation of Integrity Check Value for .idx and .pack files. An attacker can cause the application to consume corrupted files, leading to unexpected errors, due to checksums not being checked in the loadIdxFile() function.
Workaround
This vulnerability can be mitigated by running 'git fsck' from the git CLI to check for data corruption on a given repository.
Remediation
Upgrade github.com/go-git/go-git/v5/storage/filesystem to version 5.16.5 or higher.
References
Allocation of Resources Without Limits or Throttling
Detailed paths
Overview
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the handling of .idx files. An attacker with write access to the local repository's .git directory can exhaust system memory by introducing a maliciously crafted .idx file into the .git directory.
Remediation
Upgrade github.com/go-git/go-git/v5/plumbing/format/index to version 5.17.1 or higher.
References
Improper Validation of Array Index
Detailed paths
Overview
Affected versions of this package are vulnerable to Improper Validation of Array Index through improper validation in the index decoding for version 4 files. An attacker with write access to the .git directory to modify or inject the index file can cause a panic and terminate the process by supplying a maliciously crafted .git/index file that triggers an out-of-bounds slice operation during index parsing.
Remediation
Upgrade github.com/go-git/go-git/v5/plumbing/format/index to version 5.17.1 or higher.
References
Allocation of Resources Without Limits or Throttling
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu.
See How to fix? for Ubuntu:25.04 relevant fixed versions and status.
sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.
Remediation
There is no fixed version for Ubuntu:25.04 glibc.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-20013
- https://akkadia.org/drepper/SHA-crypt.txt
- https://pthree.org/2018/05/23/do-not-use-sha256crypt-sha512crypt-theyre-dangerous/
- https://twitter.com/solardiz/status/795601240151457793
Improper Encoding or Escaping of Output
Detailed paths
Overview
Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output due to improper escaping of single quotes in the SSH transport command construction process. An attacker can inject arbitrary shell tokens by including single quotes in the repository path, potentially leading to unintended command execution on SSH servers that evaluate the exec command through a shell.
Remediation
Upgrade github.com/go-git/go-git/v5/plumbing/transport/ssh to version 5.19.1, 6.0.0-alpha.4 or higher.