| id: GO-2022-0453 |
| modules: |
| - module: github.com/argoproj/argo-cd |
| vulnerable_at: 1.8.6 |
| - module: github.com/argoproj/argo-cd/v2 |
| versions: |
| - fixed: 2.1.15 |
| - introduced: 2.2.0 |
| - fixed: 2.2.9 |
| - introduced: 2.3.0 |
| - fixed: 2.3.4 |
| vulnerable_at: 2.3.3 |
| summary: |- |
| Symlink following allows leaking out-of-bound manifests and JSON files from Argo |
| CD repo-server in github.com/argoproj/argo-cd |
| cves: |
| - CVE-2022-24904 |
| ghsas: |
| - GHSA-6gcg-hp2x-q54h |
| references: |
| - advisory: https://github.com/argoproj/argo-cd/security/advisories/GHSA-6gcg-hp2x-q54h |
| - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-24904 |
| - fix: https://github.com/argoproj/argo-cd/commit/5e767a4b9e30983330c0fdec322192281a90eb84 |
| - fix: https://github.com/argoproj/argo-cd/commit/7357cfdb58a560de70a0538c6e3bef6fe39505ea |
| - fix: https://github.com/argoproj/argo-cd/commit/d36d95dc9f71ec61c1a93794f81ece6d61a0d943 |
| - web: https://github.com/argoproj/argo-cd/releases/tag/v2.1.15 |
| - web: https://github.com/argoproj/argo-cd/releases/tag/v2.2.9 |
| - web: https://github.com/argoproj/argo-cd/releases/tag/v2.3.4 |
| source: |
| id: GHSA-6gcg-hp2x-q54h |
| created: 2024-08-20T13:57:44.583507-04:00 |
| review_status: UNREVIEWED |
| unexcluded: EFFECTIVELY_PRIVATE |
