Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security scan finds known vulnerability in ArgoCD v2.9.5 dependencies #17020

Closed
3 tasks done
VladislavDubrovenski opened this issue Jan 28, 2024 · 1 comment
Closed
3 tasks done

Security scan finds known vulnerability in ArgoCD v2.9.5 dependencies #17020

VladislavDubrovenski opened this issue Jan 28, 2024 · 1 comment
Labels
bug/priority:low Cosmetic bug or minor annoyance with no real impact on functionality. security Security related

Comments

@VladislavDubrovenski
Copy link

Checklist:

  • I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
  • I've included steps to reproduce the bug.
  • I've pasted the output of argocd version.

Describe the bug

  • fixedVersion: 0.17.0
    installedVersion: v0.14.0
    lastModifiedDate: "2024-01-25T04:15:07Z"
    links: []
    primaryLink: https://avd.aquasec.com/nvd/cve-2023-48795
    publishedDate: "2023-12-18T16:15:10Z"
    resource: golang.org/x/crypto
    score: 5.9
    severity: MEDIUM
    target: ""
    title: 'ssh: Prefix truncation attack on Binary Packet Protocol (BPP)'
    vulnerabilityID: CVE-2023-48795

  • fixedVersion: 0.17.0
    installedVersion: v0.16.0
    lastModifiedDate: "2024-01-25T04:15:07Z"
    links: []
    primaryLink: https://avd.aquasec.com/nvd/cve-2023-48795
    publishedDate: "2023-12-18T16:15:10Z"
    resource: golang.org/x/crypto
    score: 5.9
    severity: MEDIUM
    target: ""
    title: 'ssh: Prefix truncation attack on Binary Packet Protocol (BPP)'
    vulnerabilityID: CVE-2023-48795

To Reproduce

Aqua Trivy Scan

Expected behavior

Scanners don't flag this...

Version
2.9.5
@VladislavDubrovenski VladislavDubrovenski added the bug Something isn't working label Jan 28, 2024
@blakepettersson blakepettersson added security Security related bug/priority:low Cosmetic bug or minor annoyance with no real impact on functionality. and removed bug Something isn't working labels Jan 29, 2024
@blakepettersson
Copy link
Member

The new version of golang.org/x/crypto is in master with #16645.

As for cherry-picking it back to 2.9.x or 2.10.x, see this comment.

Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug/priority:low Cosmetic bug or minor annoyance with no real impact on functionality. security Security related
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@blakepettersson @VladislavDubrovenski