| id: GO-2024-2643 |
| modules: |
| - module: github.com/argoproj/argo-cd |
| versions: |
| - introduced: 1.2.0-rc1 |
| vulnerable_at: 1.8.6 |
| packages: |
| - package: github.com/argoproj/argo-cd/server/application |
| symbols: |
| - Server.Create |
| skip_fix: Cannot handle replace directives within the go.mod file. |
| - module: github.com/argoproj/argo-cd/v2 |
| versions: |
| - introduced: 2.0.0 |
| fixed: 2.8.12 |
| - introduced: 2.9.0 |
| fixed: 2.9.8 |
| - introduced: 2.10.0 |
| fixed: 2.10.3 |
| vulnerable_at: 2.10.2 |
| packages: |
| - package: github.com/argoproj/argo-cd/v2/server/application |
| symbols: |
| - Server.Create |
| summary: Bypass manifest during application creation in github.com/argoproj/argo-cd/v2 |
| description: |- |
| An improper validation bug allows users who have create privileges to sync a |
| local manifest during application creation. This allows for bypassing the |
| restriction that the manifests come from some approved git/Helm/OCI source. |
| cves: |
| - CVE-2023-50726 |
| ghsas: |
| - GHSA-g623-jcgg-mhmm |
| unknown_aliases: |
| - BIT-argo-cd-2023-50726 |
| credits: |
| - '@crenshaw-dev' |
| references: |
| - fix: https://github.com/argoproj/argo-cd/commit/3b8f673f06c2d228e01cbc830e5cb57cef008978 |
| - web: https://argo-cd.readthedocs.io/en/latest/operator-manual/rbac |
