Security: github.com/go-git/go-git/v5 5.8.1 critical CVE

[gergelyfabian]

Checklist:

• [*] I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
• [*] I've included steps to reproduce the bug.
• [*] I've pasted the output of argocd version.

Describe the bug

Go-git includes a fresh CVE in versions (>=5.0.0 <5.11.0). This makes ArgoCD in version 2.9.3 include a CVE.

To Reproduce

echo -e "FROM ubuntu\nRUN apt update && apt install -y curl\nRUN curl -sSL -o /usr/local/bin/argocd https://github.com/argoproj/argo-cd/releases/download/v2.9.3/argocd-linux-amd64\nRUN chmod +x /usr/local/bin/argocd" > Dockerfile
docker build -t argocd-test .
docker scout cves  --exit-code --locations --only-severity critical argocd-test

Expected behavior

I'd expect argocd to not contain any critical vulnerabilities.

Actual behavior

Docker scout output:

    ✓ SBOM of image already cached, 417 packages indexed
    ✗ Detected 1 vulnerable package with 1 vulnerability


## Overview

                    │       Analyzed Image         
────────────────────┼──────────────────────────────
  Target            │  argocd-test:latest          
    digest          │  7e5614fcd659                
    platform        │ linux/amd64                  
    vulnerabilities │    1C     0H     0M     0L   
    size            │ 209 MB                       
    packages        │ 417                          


## Packages and Vulnerabilities

   1C     0H     0M     0L  github.com/go-git/go-git/v5 5.8.1
pkg:golang/github.com/go-git/go-git/[email protected]

8: sha256:fa922f876fcb5d1d37b930f5cb7ecce22d96e8b9a71304afc7c436243f037ce5
/usr/local/bin/argocd (evident by)

    ✗ CRITICAL CVE-2023-49569 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')]
      https://scout.docker.com/v/CVE-2023-49569
      Affected range : >=5.0.0                                       
                     : <5.11.0                                       
      Fixed version  : 5.11.0                                        
      CVSS Score     : 9.8                                           
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H  
    


1 vulnerability found in 1 package
  LOW       0  
  MEDIUM    0  
  HIGH      0  
  CRITICAL  1  


What's Next?
  View base image update recommendations → docker scout recommendations argocd-test:latest

Version

argocd: v2.9.3+6eba5be
  BuildDate: 2023-12-01T23:24:09Z
  GitCommit: 6eba5be864b7e031871ed7698f5233336dfe75c7
  GitTreeState: clean
  GoVersion: go1.21.4
  Compiler: gc
  Platform: linux/amd64
FATA[0000] Argo CD server address unspecified  

[gergelyfabian]

Potential fix is in: #16711.

[mfreeman451]

dup of #16822

[blakepettersson]

Duplicate of #16822