argo-cd-2.12.advisories.yaml

schema-version: 2.0.2

package:
  name: argo-cd-2.12

advisories:
  - id: CGA-59fg-fwfg-r72p
    aliases:
      - CVE-2024-35255
      - GHSA-m5vv-6r4h-3vj9
    events:
      - timestamp: 2024-08-06T23:01:36Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: argo-cd-2.12
            componentID: 6649e83b9b682b57
            componentName: github.com/Azure/azure-sdk-for-go/sdk/azidentity
            componentVersion: v1.1.0
            componentType: go-module
            componentLocation: /usr/bin/argocd
            scanner: grype
      - timestamp: 2024-08-16T12:45:37Z
        type: pending-upstream-fix
        data:
          note: This vulnerability requires upstream changes to upgrade a strict dependency 'github.com/Azure/kubelogin' from the current v0.0.20 version to v0.1.3 which does not contain any vulnerable code.

  - id: CGA-cqgw-hf7g-vm4x
    aliases:
      - CVE-2024-34155
      - GHSA-8xfx-rj4p-23jm
    events:
      - timestamp: 2024-09-10T07:12:40Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: argo-cd-2.12
            componentID: 93ba1e2cd6e62782
            componentName: stdlib
            componentVersion: go1.23.0
            componentType: go-module
            componentLocation: /usr/bin/argocd
            scanner: grype
      - timestamp: 2024-09-12T00:39:32Z
        type: fixed
        data:
          fixed-version: 2.12.3-r1

  - id: CGA-w23p-x3vf-72hx
    aliases:
      - CVE-2024-5321
      - GHSA-82m2-cv7p-4m75
    events:
      - timestamp: 2024-08-06T23:01:35Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: argo-cd-2.12
            componentID: 61c300fe1902f686
            componentName: k8s.io/kubernetes
            componentVersion: v1.29.6
            componentType: go-module
            componentLocation: /usr/bin/argocd
            scanner: grype
      - timestamp: 2024-08-16T12:45:19Z
        type: pending-upstream-fix
        data:
          note: This vulnerability requires code changes in the upstream repository and an upgrade of the used Kubernetes version with potential unexpected results.
      - timestamp: 2024-09-12T00:39:32Z
        type: fixed
        data:
          fixed-version: 2.12.3-r1

  - id: CGA-x55r-5fg4-3vxv
    aliases:
      - CVE-2024-34156
      - GHSA-crqm-pwhx-j97f
    events:
      - timestamp: 2024-09-10T07:12:42Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: argo-cd-2.12
            componentID: 93ba1e2cd6e62782
            componentName: stdlib
            componentVersion: go1.23.0
            componentType: go-module
            componentLocation: /usr/bin/argocd
            scanner: grype
      - timestamp: 2024-09-12T00:39:33Z
        type: fixed
        data:
          fixed-version: 2.12.3-r1

  - id: CGA-xvph-r2q6-xwhx
    aliases:
      - CVE-2024-34158
      - GHSA-j7vj-rw65-4v26
    events:
      - timestamp: 2024-09-10T07:12:43Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: argo-cd-2.12
            componentID: 93ba1e2cd6e62782
            componentName: stdlib
            componentVersion: go1.23.0
            componentType: go-module
            componentLocation: /usr/bin/argocd
            scanner: grype
      - timestamp: 2024-09-12T00:39:33Z
        type: fixed
        data:
          fixed-version: 2.12.3-r1