{"url":"http://public2.vulnerablecode.io/api/packages/108251?format=json","purl":"pkg:golang/github.com/argoproj/argo-cd/v2@2.10.3","type":"golang","namespace":"github.com/argoproj/argo-cd","name":"v2","version":"2.10.3","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"2.10.4","latest_non_vulnerable_version":"2.14.20","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/85396?format=json","vulnerability_id":"VCID-csyu-sj6e-vqbf","summary":"Users with `create` but not `override` privileges can perform local sync\n### Impact\n\n\"Local sync\" is an Argo CD feature that allows developers to temporarily override an Application's manifests with locally-defined manifests. Use of the feature should generally be limited to highly-trusted users, since it allows the user to bypass any merge protections in git.\n\nAn improper validation bug allows users who have `create` privileges but not `override` privileges to sync local manifests on app creation. All other restrictions, including AppProject restrictions are still enforced. The only restriction which is _not_ enforced is that the manifests come from some approved git/Helm/OCI source.\n\nThe bug was introduced in 1.2.0-rc1 when the local manifest sync feature was added.\n\n### Patches\n\nThe bug has been patched in the following versions:\n\n* 2.10.3\n* 2.9.8\n* 2.8.12\n\n### Workarounds\n\nTo immediately mitigate the risk of branch protection bypass, remove `applications, create` RBAC access. The only way to eliminate the issue without removing RBAC access is to upgrade to a patched version.\n\nBranch protection rules and review requirements are a great way to enforce security constraints in a GitOps environment, but they should be just one layer in a multi-layered approach. Make sure your AppProject and RBAC restrictions are as thorough as possible to prevent a review bypass vulnerability from permitting excessive damage.\n\n### References\n\n* [Argo CD RBAC documentation](https://argo-cd.readthedocs.io/en/latest/operator-manual/rbac/)\n\n### For more information\n\n* Open an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://github.com/argoproj/argo-cd/discussions)\n* Join us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-50726.json","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-50726.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-50726","reference_id":"","reference_type":"","scores":[{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.07162","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.07141","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.07185","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.07193","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.07199","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-50726"},{"reference_url":"https://argo-cd.readthedocs.io/en/latest/operator-manual/rbac","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-14T15:56:02Z/"}],"url":"https://argo-cd.readthedocs.io/en/latest/operator-manual/rbac"},{"reference_url":"https://github.com/argoproj/argo-cd","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/argoproj/argo-cd"},{"reference_url":"https://github.com/argoproj/argo-cd/commit/3b8f673f06c2d228e01cbc830e5cb57cef008978","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-14T15:56:02Z/"}],"url":"https://github.com/argoproj/argo-cd/commit/3b8f673f06c2d228e01cbc830e5cb57cef008978"},{"reference_url":"https://github.com/argoproj/argo-cd/security/advisories/GHSA-g623-jcgg-mhmm","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-14T15:56:02Z/"}],"url":"https://github.com/argoproj/argo-cd/security/advisories/GHSA-g623-jcgg-mhmm"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-50726","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-50726"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2269479","reference_id":"2269479","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2269479"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1697","reference_id":"RHSA-2024:1697","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1697"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1700","reference_id":"RHSA-2024:1700","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1700"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1752","reference_id":"RHSA-2024:1752","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1752"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1753","reference_id":"RHSA-2024:1753","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1753"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/108252?format=json","purl":"pkg:golang/github.com/argoproj/argo-cd/v2@2.8.12","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/argoproj/argo-cd/v2@2.8.12"},{"url":"http://public2.vulnerablecode.io/api/packages/108250?format=json","purl":"pkg:golang/github.com/argoproj/argo-cd/v2@2.9.8","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/argoproj/argo-cd/v2@2.9.8"},{"url":"http://public2.vulnerablecode.io/api/packages/108251?format=json","purl":"pkg:golang/github.com/argoproj/argo-cd/v2@2.10.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/argoproj/argo-cd/v2@2.10.3"}],"aliases":["CVE-2023-50726","GHSA-g623-jcgg-mhmm"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-csyu-sj6e-vqbf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/85386?format=json","vulnerability_id":"VCID-wae1-18e2-tbbw","summary":"Cross-site scripting on application summary component\n### Summary\n\nDue to the improper URL protocols filtering of links specified in the `link.argocd.argoproj.io` annotations in the application summary component, an attacker can achieve cross-site scripting with elevated permissions.\n\n### Impact\n\nAll unpatched versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will execute with the victim's permissions (up to and including admin).\n\nThis vulnerability allows an attacker to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, and deleting Kubernetes resources.\n\n### Patches\nA patch for this vulnerability has been released in the following Argo CD versions:\n\n* v2.10.3\n* v2.9.8\n* v2.8.12\n\n### Workarounds\n\nThere are no completely-safe workarounds besides **upgrading**. The safest alternative, if upgrading is not possible, would be to create a [Kubernetes admission controller](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) to reject any resources with an annotation starting with `link.argocd.argoproj.io` or reject the resource if the value use an improper URL protocol. This validation will need to be applied in all clusters managed by ArgoCD.\n\n#### Mitigations\n\n1. Avoid clicking external links presented in the UI.\nThe link's title is user-configurable. So even if you hover the link, and the tooltip looks safe, the link might be malicious. The only way to be certain that the link is safe is to inspect the page's source.\n2. Carefully limit who has permissions to edit Kubernetes resource manifests (this is configured in [RBAC](https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/) for ArgoCD). \nThe external-links are set as annotations on Kubernetes resources. Any persona with write access to resources managed by ArgoCD could be an actor.\n\n### References\n[Documentation for the external links feature](https://argo-cd.readthedocs.io/en/stable/user-guide/external-url/)\n\n### Credits\n\nDisclosed by [RyotaK](https://ryotak.net) (@Ry0taK)\n\n### For more information\n\n- Open an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-desc) or [discussions](https://github.com/argoproj/argo-cd/discussions)\n- Join us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-28175.json","reference_id":"","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-28175.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-28175","reference_id":"","reference_type":"","scores":[{"value":"0.00476","scoring_system":"epss","scoring_elements":"0.65292","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00476","scoring_system":"epss","scoring_elements":"0.65273","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00476","scoring_system":"epss","scoring_elements":"0.65283","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00476","scoring_system":"epss","scoring_elements":"0.65285","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00476","scoring_system":"epss","scoring_elements":"0.65295","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-28175"},{"reference_url":"https://github.com/argoproj/argo-cd","reference_id":"","reference_type":"","scores":[{"value":"9.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/argoproj/argo-cd"},{"reference_url":"https://github.com/argoproj/argo-cd/commit/479b5544b57dc9ef767d49f7003f39602c480b71","reference_id":"","reference_type":"","scores":[{"value":"9.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-03-14T15:46:16Z/"}],"url":"https://github.com/argoproj/argo-cd/commit/479b5544b57dc9ef767d49f7003f39602c480b71"},{"reference_url":"https://github.com/argoproj/argo-cd/security/advisories/GHSA-jwv5-8mqv-g387","reference_id":"","reference_type":"","scores":[{"value":"9.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-03-14T15:46:16Z/"}],"url":"https://github.com/argoproj/argo-cd/security/advisories/GHSA-jwv5-8mqv-g387"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-28175","reference_id":"","reference_type":"","scores":[{"value":"9.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-28175"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2268518","reference_id":"2268518","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2268518"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1345","reference_id":"RHSA-2024:1345","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1345"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1346","reference_id":"RHSA-2024:1346","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1346"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1441","reference_id":"RHSA-2024:1441","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1441"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/108252?format=json","purl":"pkg:golang/github.com/argoproj/argo-cd/v2@2.8.12","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/argoproj/argo-cd/v2@2.8.12"},{"url":"http://public2.vulnerablecode.io/api/packages/108250?format=json","purl":"pkg:golang/github.com/argoproj/argo-cd/v2@2.9.8","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/argoproj/argo-cd/v2@2.9.8"},{"url":"http://public2.vulnerablecode.io/api/packages/108251?format=json","purl":"pkg:golang/github.com/argoproj/argo-cd/v2@2.10.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/argoproj/argo-cd/v2@2.10.3"}],"aliases":["CVE-2024-28175","GHSA-jwv5-8mqv-g387"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wae1-18e2-tbbw"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/argoproj/argo-cd/v2@2.10.3"}