📦 Argo Cd

This CVE allows API tokens with project-level permissions in Argo CD to retrieve sensitive repository credentials (usernames, passwords) through the project details API endpoint, even without explicit...

This vulnerability allows attackers to perform cross-site scripting (XSS) attacks in Argo CD's repository page. Attackers with repository edit permissions can inject malicious scripts that execute arb...

This vulnerability allows unprivileged pods in different Kubernetes namespaces to connect to Argo CD's Redis server on port 6379, potentially leading to privilege escalation to cluster controller leve...

This critical vulnerability in Argo CD allows attackers to bypass brute force login protection by exploiting a chain of flaws including a Denial of Service weakness and in-memory data storage issues. ...

This vulnerability in Argo CD exposes sensitive cluster secret data through the API. Users with 'clusters, get' RBAC permissions can access the full secret contents via the kubectl.kubernetes.io/last-...

Argo CD versions 2.3.0-rc1 through 2.6.1 contain an improper authorization vulnerability that allows users with cluster secret update permissions to modify any cluster secret. This affects organizatio...

CVE-2022-31035 is a cross-site scripting (XSS) vulnerability in Argo CD that allows attackers to inject malicious JavaScript links into the UI. When clicked by authenticated users, the script executes...

CVE-2022-24768 is an improper access control vulnerability in Argo CD that allows authorized users with specific permissions to escalate privileges to admin-level. This affects all unpatched versions ...

Argo CD versions 1.2.0 through 3.2.0-rc1 contain a vulnerability where unauthenticated API requests with malformed Bitbucket Server payloads can crash the API server, causing denial of service. This a...

This vulnerability in Argo CD allows an unauthenticated attacker to crash the argocd-server process by sending a specially crafted Azure DevOps webhook payload. Affected organizations are those runnin...

An unauthenticated attacker can send a specially crafted large JSON payload to Argo CD's /api/webhook endpoint, causing excessive memory allocation that leads to service disruption via Out Of Memory (...

CVE-2024-21661 is a critical Denial of Service vulnerability in Argo CD that allows unauthenticated attackers to crash the application by exploiting unsafe array manipulation in multi-threaded environ...

This CSRF vulnerability in Argo CD allows attackers to execute API requests on behalf of authenticated users when they can inject HTML on the same parent domain. It affects organizations hosting Argo ...

Argo CD versions 0.4.0 through 2.4.4 (excluding patched versions) have improper certificate validation for OpenID Connect providers, allowing attackers to impersonate legitimate OIDC providers. This a...

CVE-2022-1025 is an improper access control vulnerability in Argo CD that allows authenticated users to escalate privileges to admin level. All Argo CD deployments from version 1.0.0 through 2.3.0 are...

CVE-2022-31034 is a vulnerability in Argo CD's OAuth2/OIDC login flows where insufficiently random values in parameters could allow attackers to potentially gain admin access. All Argo CD installation...

Argo CD versions 1.3.0 through 2.3.0 contain a path traversal vulnerability combined with improper access control. This allows authenticated users with read-only repository access to leak sensitive fi...

This vulnerability in Argo CD allows attackers to perform directory traversal attacks through malicious Helm charts, potentially accessing sensitive files like credentials stored in YAML files. It aff...

CVE-2021-26923 is an information disclosure vulnerability in Argo CD where the /api/version endpoint leaks internal system information without requiring authentication. This affects all Argo CD deploy...

This CVE describes a race condition vulnerability in Argo CD's repository credentials handler that can cause the server to crash when concurrent operations target the same repository URL. Attackers wi...

Argo CD versions before v2.13.4, v2.12.10, and v2.11.13 expose Kubernetes Secret values in error messages and diff views when invalid Secret resources are synced from Git repositories. Any user with r...

Argo CD's web terminal feature has a privilege persistence vulnerability where users retain container access even after their exec permissions are revoked, as long as they keep the terminal session op...

This CVE describes a denial-of-service vulnerability in Argo CD where specially crafted ignoreDifferences configurations can cause excessive memory consumption via jq processing, leading to out-of-mem...