Elgato_dark/argo-cd
1
0
Fork 0
mirror of https://github.com/argoproj/argo-cd synced 2026-04-21 17:07:16 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 22

[Bot] docs: Update Snyk reports (#21180)

Browse source 
Signed-off-by: CI <ci@argoproj.com>
Co-authored-by: CI <ci@argoproj.com>
This commit is contained in:
github-actions[bot] 2024-12-15 20:49:57 +00:00 committed by GitHub
parent b60d28c71a
commit 22fe65b4eb
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
32 changed files with 2033 additions and 721 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

42
docs/snyk/index.md
View file

@ -23,39 +23,39 @@ recent minor releases.
| [install.yaml](master/argocd-iac-install.html) | - | - | - | - |
| [namespace-install.yaml](master/argocd-iac-namespace-install.html) | - | - | - | - |
### v2.13.1
### v2.13.2
| | Critical | High | Medium | Low |
|---:|:--------:|:----:|:------:|:---:|
| [go.mod](v2.13.1/argocd-test.html) | 0 | 0 | 7 | 2 |
| [ui/yarn.lock](v2.13.1/argocd-test.html) | 0 | 0 | 1 | 0 |
| [dex:v2.41.1](v2.13.1/ghcr.io_dexidp_dex_v2.41.1.html) | 0 | 0 | 0 | 2 |
| [haproxy:2.6.17-alpine](v2.13.1/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html) | 0 | 0 | 2 | 4 |
| [redis:7.0.15-alpine](v2.13.1/public.ecr.aws_docker_library_redis_7.0.15-alpine.html) | 0 | 0 | 0 | 1 |
| [argocd:v2.13.1](v2.13.1/quay.io_argoproj_argocd_v2.13.1.html) | 0 | 0 | 3 | 10 |
| [redis:7.0.15-alpine](v2.13.1/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 1 |
| [install.yaml](v2.13.1/argocd-iac-install.html) | - | - | - | - |
| [namespace-install.yaml](v2.13.1/argocd-iac-namespace-install.html) | - | - | - | - |
| [go.mod](v2.13.2/argocd-test.html) | 1 | 0 | 7 | 2 |
| [ui/yarn.lock](v2.13.2/argocd-test.html) | 0 | 0 | 1 | 0 |
| [dex:v2.41.1](v2.13.2/ghcr.io_dexidp_dex_v2.41.1.html) | 0 | 0 | 0 | 2 |
| [haproxy:2.6.17-alpine](v2.13.2/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html) | 0 | 0 | 2 | 4 |
| [redis:7.0.15-alpine](v2.13.2/public.ecr.aws_docker_library_redis_7.0.15-alpine.html) | 0 | 0 | 0 | 1 |
| [argocd:v2.13.2](v2.13.2/quay.io_argoproj_argocd_v2.13.2.html) | 0 | 0 | 3 | 10 |
| [redis:7.0.15-alpine](v2.13.2/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 1 |
| [install.yaml](v2.13.2/argocd-iac-install.html) | - | - | - | - |
| [namespace-install.yaml](v2.13.2/argocd-iac-namespace-install.html) | - | - | - | - |
### v2.12.7
### v2.12.8
| | Critical | High | Medium | Low |
|---:|:--------:|:----:|:------:|:---:|
| [go.mod](v2.12.7/argocd-test.html) | 0 | 0 | 8 | 2 |
| [ui/yarn.lock](v2.12.7/argocd-test.html) | 0 | 0 | 1 | 0 |
| [dex:v2.38.0](v2.12.7/ghcr.io_dexidp_dex_v2.38.0.html) | 0 | 0 | 6 | 7 |
| [haproxy:2.6.17-alpine](v2.12.7/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html) | 0 | 0 | 2 | 4 |
| [redis:7.0.15-alpine](v2.12.7/public.ecr.aws_docker_library_redis_7.0.15-alpine.html) | 0 | 0 | 0 | 1 |
| [argocd:v2.12.7](v2.12.7/quay.io_argoproj_argocd_v2.12.7.html) | 0 | 0 | 3 | 11 |
| [redis:7.0.15-alpine](v2.12.7/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 1 |
| [install.yaml](v2.12.7/argocd-iac-install.html) | - | - | - | - |
| [namespace-install.yaml](v2.12.7/argocd-iac-namespace-install.html) | - | - | - | - |
| [go.mod](v2.12.8/argocd-test.html) | 1 | 0 | 8 | 2 |
| [ui/yarn.lock](v2.12.8/argocd-test.html) | 0 | 0 | 1 | 0 |
| [dex:v2.38.0](v2.12.8/ghcr.io_dexidp_dex_v2.38.0.html) | 0 | 0 | 6 | 7 |
| [haproxy:2.6.17-alpine](v2.12.8/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html) | 0 | 0 | 2 | 4 |
| [redis:7.0.15-alpine](v2.12.8/public.ecr.aws_docker_library_redis_7.0.15-alpine.html) | 0 | 0 | 0 | 1 |
| [argocd:v2.12.8](v2.12.8/quay.io_argoproj_argocd_v2.12.8.html) | 0 | 0 | 3 | 10 |
| [redis:7.0.15-alpine](v2.12.8/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 1 |
| [install.yaml](v2.12.8/argocd-iac-install.html) | - | - | - | - |
| [namespace-install.yaml](v2.12.8/argocd-iac-namespace-install.html) | - | - | - | - |
### v2.11.12
| | Critical | High | Medium | Low |
|---:|:--------:|:----:|:------:|:---:|
| [go.mod](v2.11.12/argocd-test.html) | 0 | 2 | 9 | 2 |
| [go.mod](v2.11.12/argocd-test.html) | 1 | 2 | 9 | 2 |
| [ui/yarn.lock](v2.11.12/argocd-test.html) | 0 | 0 | 1 | 0 |
| [dex:v2.38.0](v2.11.12/ghcr.io_dexidp_dex_v2.38.0.html) | 0 | 0 | 6 | 7 |
| [haproxy:2.6.14-alpine](v2.11.12/haproxy_2.6.14-alpine.html) | 0 | 1 | 7 | 7 |

4
docs/snyk/master/argocd-iac-install.html
View file

@ -456,7 +456,7 @@
<div class="header-wrap">
<h1 class="project__header__title">Snyk test report</h1>
<p class="timestamp">December 8th 2024, 12:23:04 am (UTC+00:00)</p>
<p class="timestamp">December 15th 2024, 12:23:55 am (UTC+00:00)</p>
</div>
<div class="source-panel">
<span>Scanned the following path:</span>
@ -2861,7 +2861,7 @@
</li>
<li class="card__meta__item">
Line number: 24840
Line number: 24846
</li>
</ul>

4
docs/snyk/master/argocd-iac-namespace-install.html
View file

@ -456,7 +456,7 @@
<div class="header-wrap">
<h1 class="project__header__title">Snyk test report</h1>
<p class="timestamp">December 8th 2024, 12:23:14 am (UTC+00:00)</p>
<p class="timestamp">December 15th 2024, 12:24:05 am (UTC+00:00)</p>
</div>
<div class="source-panel">
<span>Scanned the following path:</span>
@ -2815,7 +2815,7 @@
</li>
<li class="card__meta__item">
Line number: 2163
Line number: 2169
</li>
</ul>

4
docs/snyk/master/argocd-test.html
View file

@ -456,7 +456,7 @@
<div class="header-wrap">
<h1 class="project__header__title">Snyk test report</h1>
<p class="timestamp">December 8th 2024, 12:20:56 am (UTC+00:00)</p>
<p class="timestamp">December 15th 2024, 12:21:36 am (UTC+00:00)</p>
</div>
<div class="source-panel">
<span>Scanned the following paths:</span>
@ -470,7 +470,7 @@
<div class="meta-counts">
<div class="meta-count"><span>7</span> <span>known vulnerabilities</span></div>
<div class="meta-count"><span>26 vulnerable dependency paths</span></div>
<div class="meta-count"><span>2158</span> <span>dependencies</span></div>
<div class="meta-count"><span>2160</span> <span>dependencies</span></div>
</div><!-- .meta-counts -->
</div><!-- .layout-container--short -->
</header><!-- .project__header -->

82
docs/snyk/master/ghcr.io_dexidp_dex_v2.41.1.html
View file

@ -7,7 +7,7 @@
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<title>Snyk test report</title>
<meta name="description" content="22 known vulnerabilities found in 43 vulnerable dependency paths.">
<meta name="description" content="23 known vulnerabilities found in 44 vulnerable dependency paths.">
<base target="_blank">
<link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
sizes="194x194">
@ -456,7 +456,7 @@
<div class="header-wrap">
<h1 class="project__header__title">Snyk test report</h1>
<p class="timestamp">December 8th 2024, 12:21:06 am (UTC+00:00)</p>
<p class="timestamp">December 15th 2024, 12:21:47 am (UTC+00:00)</p>
</div>
<div class="source-panel">
<span>Scanned the following paths:</span>
@ -469,8 +469,8 @@
</div>
<div class="meta-counts">
<div class="meta-count"><span>22</span> <span>known vulnerabilities</span></div>
<div class="meta-count"><span>43 vulnerable dependency paths</span></div>
<div class="meta-count"><span>23</span> <span>known vulnerabilities</span></div>
<div class="meta-count"><span>44 vulnerable dependency paths</span></div>
<div class="meta-count"><span>969</span> <span>dependencies</span></div>
</div><!-- .meta-counts -->
</div><!-- .layout-container--short -->
@ -479,6 +479,80 @@
<div class="layout-container" style="padding-top: 35px;">
<div class="cards--vuln filter--patch filter--ignore">
<div class="card card--vuln disclosure--not-new severity--critical" data-snyk-test="critical">
<h2 class="card__title">Incorrect Implementation of Authentication Algorithm</h2>
<div class="card__section">
<div class="label label--critical">
<span class="label__text">critical severity</span>
</div>
<hr/>
<ul class="card__meta">
<li class="card__meta__item">
Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow"></span> /usr/local/bin/gomplate
</li>
<li class="card__meta__item">
Package Manager: golang
</li>
<li class="card__meta__item">
Vulnerable module:
golang.org/x/crypto/ssh
</li>
<li class="card__meta__item">Introduced through:
github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh@v0.24.0
</li>
</ul>
<hr/>
<h3 class="card__section__title">Detailed paths</h3>
<ul class="card__meta__paths">
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/hairyhenderson/gomplate/v4@*
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@v0.24.0
</span>
</li>
</ul><!-- .list-paths -->
</div><!-- .card__section -->
<hr/>
<!-- Overview -->
<h2 id="overview">Overview</h2>
<p><a href="https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc">golang.org/x/crypto/ssh</a> is a SSH client and server</p>
<p>Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm when the key passed in the last call before a connection is established is assumed to be the key used for authentication. It is not necessarily the authentication key in use, and this allows attackers who can control the key cache by making their own carefully-timed connections to bypass authorization with subsequent legitimate <code>ServerConfig.PublicKeyCallback</code> callbacks.</p>
<p><strong>Note:</strong> The assumed caching behavior of this callback is not documented and is therefore considered human error, but the project maintainers have observed reliance on it for authorization decisions in production. In fact, the assumption is negated in the documentation, which states &quot;A call to this function does not guarantee that the key offered is in fact used to authenticate.&quot; The behavior after upgrading still allows the possibility of an attacker forcing their own key to be the one in the cache when the callback is invoked if the client is using a different authentication method such as <code>PasswordCallback</code>, <code>KeyboardInteractiveCallback</code>, or <code>NoClientAuth</code>. It is therefore recommended to rely on the return values of the connection itself, found in <code>ServerConn.Permissions</code> for further authorization steps.</p>
<h2 id="remediation">Remediation</h2>
<p>Upgrade <code>golang.org/x/crypto/ssh</code> to version 0.31.0 or higher.</p>
<h2 id="references">References</h2>
<ul>
<li><a href="https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909">GitHub Commit</a></li>
<li><a href="https://github.com/golang/go/issues/20094">GitHub Issue</a></li>
<li><a href="https://go.dev/cl/635315">go.dev Commit</a></li>
<li><a href="https://go.dev/issue/70779">go.dev Issue</a></li>
<li><a href="https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ">Google Groups Forum</a></li>
<li><a href="https://pkg.go.dev/vuln/GO-2024-3321">Go Vulnerability Database</a></li>
</ul>
<hr/>
<div class="cta card__cta">
<p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-8496611">More about this vulnerability</a></p>
</div>
</div><!-- .card -->
<div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium">
<h2 class="card__title">Insertion of Sensitive Information into Log File</h2>
<div class="card__section">

2
docs/snyk/master/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html
View file

@ -456,7 +456,7 @@
<div class="header-wrap">
<h1 class="project__header__title">Snyk test report</h1>
<p class="timestamp">December 8th 2024, 12:21:11 am (UTC+00:00)</p>
<p class="timestamp">December 15th 2024, 12:21:52 am (UTC+00:00)</p>
</div>
<div class="source-panel">
<span>Scanned the following path:</span>

2
docs/snyk/master/public.ecr.aws_docker_library_redis_7.0.15-alpine.html
View file

@ -456,7 +456,7 @@
<div class="header-wrap">
<h1 class="project__header__title">Snyk test report</h1>
<p class="timestamp">December 8th 2024, 12:21:15 am (UTC+00:00)</p>
<p class="timestamp">December 15th 2024, 12:22:00 am (UTC+00:00)</p>
</div>
<div class="source-panel">
<span>Scanned the following paths:</span>

4
docs/snyk/master/quay.io_argoproj_argocd_latest.html
View file

@ -456,7 +456,7 @@
<div class="header-wrap">
<h1 class="project__header__title">Snyk test report</h1>
<p class="timestamp">December 8th 2024, 12:21:33 am (UTC+00:00)</p>
<p class="timestamp">December 15th 2024, 12:22:20 am (UTC+00:00)</p>
</div>
<div class="source-panel">
<span>Scanned the following paths:</span>
@ -472,7 +472,7 @@
<div class="meta-counts">
<div class="meta-count"><span>20</span> <span>known vulnerabilities</span></div>
<div class="meta-count"><span>100 vulnerable dependency paths</span></div>
<div class="meta-count"><span>2378</span> <span>dependencies</span></div>
<div class="meta-count"><span>2380</span> <span>dependencies</span></div>
</div><!-- .meta-counts -->
</div><!-- .layout-container--short -->
</header><!-- .project__header -->

2
docs/snyk/master/redis_7.0.15-alpine.html
View file

@ -456,7 +456,7 @@
<div class="header-wrap">
<h1 class="project__header__title">Snyk test report</h1>
<p class="timestamp">December 8th 2024, 12:21:38 am (UTC+00:00)</p>
<p class="timestamp">December 15th 2024, 12:22:25 am (UTC+00:00)</p>
</div>
<div class="source-panel">
<span>Scanned the following paths:</span>

2
docs/snyk/v2.11.12/argocd-iac-install.html
View file

@ -456,7 +456,7 @@
<div class="header-wrap">
<h1 class="project__header__title">Snyk test report</h1>
<p class="timestamp">December 8th 2024, 12:30:13 am (UTC+00:00)</p>
<p class="timestamp">December 15th 2024, 12:31:10 am (UTC+00:00)</p>
</div>
<div class="source-panel">
<span>Scanned the following path:</span>

2
docs/snyk/v2.11.12/argocd-iac-namespace-install.html
View file

@ -456,7 +456,7 @@
<div class="header-wrap">
<h1 class="project__header__title">Snyk test report</h1>
<p class="timestamp">December 8th 2024, 12:30:22 am (UTC+00:00)</p>
<p class="timestamp">December 15th 2024, 12:31:19 am (UTC+00:00)</p>
</div>
<div class="source-panel">
<span>Scanned the following path:</span>

279
docs/snyk/v2.11.12/argocd-test.html
View file

@ -7,7 +7,7 @@
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<title>Snyk test report</title>
<meta name="description" content="14 known vulnerabilities found in 1075 vulnerable dependency paths.">
<meta name="description" content="15 known vulnerabilities found in 1089 vulnerable dependency paths.">
<base target="_blank">
<link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
sizes="194x194">
@ -456,7 +456,7 @@
<div class="header-wrap">
<h1 class="project__header__title">Snyk test report</h1>
<p class="timestamp">December 8th 2024, 12:28:19 am (UTC+00:00)</p>
<p class="timestamp">December 15th 2024, 12:29:14 am (UTC+00:00)</p>
</div>
<div class="source-panel">
<span>Scanned the following paths:</span>
@ -467,8 +467,8 @@
</div>
<div class="meta-counts">
<div class="meta-count"><span>14</span> <span>known vulnerabilities</span></div>
<div class="meta-count"><span>1075 vulnerable dependency paths</span></div>
<div class="meta-count"><span>15</span> <span>known vulnerabilities</span></div>
<div class="meta-count"><span>1089 vulnerable dependency paths</span></div>
<div class="meta-count"><span>2041</span> <span>dependencies</span></div>
</div><!-- .meta-counts -->
</div><!-- .layout-container--short -->
@ -477,6 +477,277 @@
<div class="layout-container" style="padding-top: 35px;">
<div class="cards--vuln filter--patch filter--ignore">
<div class="card card--vuln disclosure--not-new severity--critical" data-snyk-test="critical">
<h2 class="card__title">Incorrect Implementation of Authentication Algorithm</h2>
<div class="card__section">
<div class="label label--critical">
<span class="label__text">critical severity</span>
</div>
<hr/>
<ul class="card__meta">
<li class="card__meta__item">
Manifest file: /argo-cd/argoproj/argo-cd/v2 <span class="list-paths__item__arrow"></span> go.mod
</li>
<li class="card__meta__item">
Package Manager: golang
</li>
<li class="card__meta__item">
Vulnerable module:
golang.org/x/crypto/ssh
</li>
<li class="card__meta__item">Introduced through:
github.com/argoproj/argo-cd/v2@0.0.0 and golang.org/x/crypto/ssh@0.19.0
</li>
</ul>
<hr/>
<h3 class="card__section__title">Detailed paths</h3>
<ul class="card__meta__paths">
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.19.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh/knownhosts@0.19.0
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.19.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/ssh@5.11.0
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.19.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/ssh@5.11.0
<span class="list-paths__item__arrow"></span>
github.com/skeema/knownhosts@1.2.2
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.19.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/client@5.11.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/ssh@5.11.0
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.19.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/ssh@5.11.0
<span class="list-paths__item__arrow"></span>
github.com/skeema/knownhosts@1.2.2
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh/knownhosts@0.19.0
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.19.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/client@5.11.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/ssh@5.11.0
<span class="list-paths__item__arrow"></span>
github.com/skeema/knownhosts@1.2.2
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.19.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/ssh@5.11.0
<span class="list-paths__item__arrow"></span>
github.com/xanzy/ssh-agent@0.3.3
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh/agent@0.19.0
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.19.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5@5.11.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/client@5.11.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/ssh@5.11.0
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.19.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/client@5.11.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/ssh@5.11.0
<span class="list-paths__item__arrow"></span>
github.com/skeema/knownhosts@1.2.2
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh/knownhosts@0.19.0
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.19.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5@5.11.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/client@5.11.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/ssh@5.11.0
<span class="list-paths__item__arrow"></span>
github.com/skeema/knownhosts@1.2.2
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.19.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/client@5.11.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/ssh@5.11.0
<span class="list-paths__item__arrow"></span>
github.com/xanzy/ssh-agent@0.3.3
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh/agent@0.19.0
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.19.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5@5.11.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/client@5.11.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/ssh@5.11.0
<span class="list-paths__item__arrow"></span>
github.com/skeema/knownhosts@1.2.2
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh/knownhosts@0.19.0
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.19.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5@5.11.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/client@5.11.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/ssh@5.11.0
<span class="list-paths__item__arrow"></span>
github.com/xanzy/ssh-agent@0.3.3
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh/agent@0.19.0
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.19.0
</span>
</li>
</ul><!-- .list-paths -->
</div><!-- .card__section -->
<hr/>
<!-- Overview -->
<h2 id="overview">Overview</h2>
<p><a href="https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc">golang.org/x/crypto/ssh</a> is a SSH client and server</p>
<p>Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm when the key passed in the last call before a connection is established is assumed to be the key used for authentication. It is not necessarily the authentication key in use, and this allows attackers who can control the key cache by making their own carefully-timed connections to bypass authorization with subsequent legitimate <code>ServerConfig.PublicKeyCallback</code> callbacks.</p>
<p><strong>Note:</strong> The assumed caching behavior of this callback is not documented and is therefore considered human error, but the project maintainers have observed reliance on it for authorization decisions in production. In fact, the assumption is negated in the documentation, which states &quot;A call to this function does not guarantee that the key offered is in fact used to authenticate.&quot; The behavior after upgrading still allows the possibility of an attacker forcing their own key to be the one in the cache when the callback is invoked if the client is using a different authentication method such as <code>PasswordCallback</code>, <code>KeyboardInteractiveCallback</code>, or <code>NoClientAuth</code>. It is therefore recommended to rely on the return values of the connection itself, found in <code>ServerConn.Permissions</code> for further authorization steps.</p>
<h2 id="remediation">Remediation</h2>
<p>Upgrade <code>golang.org/x/crypto/ssh</code> to version 0.31.0 or higher.</p>
<h2 id="references">References</h2>
<ul>
<li><a href="https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909">GitHub Commit</a></li>
<li><a href="https://github.com/golang/go/issues/20094">GitHub Issue</a></li>
<li><a href="https://go.dev/cl/635315">go.dev Commit</a></li>
<li><a href="https://go.dev/issue/70779">go.dev Issue</a></li>
<li><a href="https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ">Google Groups Forum</a></li>
<li><a href="https://pkg.go.dev/vuln/GO-2024-3321">Go Vulnerability Database</a></li>
</ul>
<hr/>
<div class="cta card__cta">
<p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-8496611">More about this vulnerability</a></p>
</div>
</div><!-- .card -->
<div class="card card--vuln disclosure--not-new severity--high" data-snyk-test="high">
<h2 class="card__title">Denial of Service (DoS)</h2>
<div class="card__section">

82
docs/snyk/v2.11.12/ghcr.io_dexidp_dex_v2.38.0.html
View file

@ -7,7 +7,7 @@
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<title>Snyk test report</title>
<meta name="description" content="41 known vulnerabilities found in 129 vulnerable dependency paths.">
<meta name="description" content="42 known vulnerabilities found in 130 vulnerable dependency paths.">
<base target="_blank">
<link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
sizes="194x194">
@ -456,7 +456,7 @@
<div class="header-wrap">
<h1 class="project__header__title">Snyk test report</h1>
<p class="timestamp">December 8th 2024, 12:28:28 am (UTC+00:00)</p>
<p class="timestamp">December 15th 2024, 12:29:22 am (UTC+00:00)</p>
</div>
<div class="source-panel">
<span>Scanned the following paths:</span>
@ -469,8 +469,8 @@
</div>
<div class="meta-counts">
<div class="meta-count"><span>41</span> <span>known vulnerabilities</span></div>
<div class="meta-count"><span>129 vulnerable dependency paths</span></div>
<div class="meta-count"><span>42</span> <span>known vulnerabilities</span></div>
<div class="meta-count"><span>130 vulnerable dependency paths</span></div>
<div class="meta-count"><span>829</span> <span>dependencies</span></div>
</div><!-- .meta-counts -->
</div><!-- .layout-container--short -->
@ -479,6 +479,80 @@
<div class="layout-container" style="padding-top: 35px;">
<div class="cards--vuln filter--patch filter--ignore">
<div class="card card--vuln disclosure--not-new severity--critical" data-snyk-test="critical">
<h2 class="card__title">Incorrect Implementation of Authentication Algorithm</h2>
<div class="card__section">
<div class="label label--critical">
<span class="label__text">critical severity</span>
</div>
<hr/>
<ul class="card__meta">
<li class="card__meta__item">
Manifest file: ghcr.io/dexidp/dex:v2.38.0/hairyhenderson/gomplate/v3 <span class="list-paths__item__arrow"></span> /usr/local/bin/gomplate
</li>
<li class="card__meta__item">
Package Manager: golang
</li>
<li class="card__meta__item">
Vulnerable module:
golang.org/x/crypto/ssh
</li>
<li class="card__meta__item">Introduced through:
github.com/hairyhenderson/gomplate/v3@* and golang.org/x/crypto/ssh@v0.18.0
</li>
</ul>
<hr/>
<h3 class="card__section__title">Detailed paths</h3>
<ul class="card__meta__paths">
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/hairyhenderson/gomplate/v3@*
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@v0.18.0
</span>
</li>
</ul><!-- .list-paths -->
</div><!-- .card__section -->
<hr/>
<!-- Overview -->
<h2 id="overview">Overview</h2>
<p><a href="https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc">golang.org/x/crypto/ssh</a> is a SSH client and server</p>
<p>Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm when the key passed in the last call before a connection is established is assumed to be the key used for authentication. It is not necessarily the authentication key in use, and this allows attackers who can control the key cache by making their own carefully-timed connections to bypass authorization with subsequent legitimate <code>ServerConfig.PublicKeyCallback</code> callbacks.</p>
<p><strong>Note:</strong> The assumed caching behavior of this callback is not documented and is therefore considered human error, but the project maintainers have observed reliance on it for authorization decisions in production. In fact, the assumption is negated in the documentation, which states &quot;A call to this function does not guarantee that the key offered is in fact used to authenticate.&quot; The behavior after upgrading still allows the possibility of an attacker forcing their own key to be the one in the cache when the callback is invoked if the client is using a different authentication method such as <code>PasswordCallback</code>, <code>KeyboardInteractiveCallback</code>, or <code>NoClientAuth</code>. It is therefore recommended to rely on the return values of the connection itself, found in <code>ServerConn.Permissions</code> for further authorization steps.</p>
<h2 id="remediation">Remediation</h2>
<p>Upgrade <code>golang.org/x/crypto/ssh</code> to version 0.31.0 or higher.</p>
<h2 id="references">References</h2>
<ul>
<li><a href="https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909">GitHub Commit</a></li>
<li><a href="https://github.com/golang/go/issues/20094">GitHub Issue</a></li>
<li><a href="https://go.dev/cl/635315">go.dev Commit</a></li>
<li><a href="https://go.dev/issue/70779">go.dev Issue</a></li>
<li><a href="https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ">Google Groups Forum</a></li>
<li><a href="https://pkg.go.dev/vuln/GO-2024-3321">Go Vulnerability Database</a></li>
</ul>
<hr/>
<div class="cta card__cta">
<p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-8496611">More about this vulnerability</a></p>
</div>
</div><!-- .card -->
<div class="card card--vuln disclosure--not-new severity--high" data-snyk-test="high">
<h2 class="card__title">Allocation of Resources Without Limits or Throttling</h2>
<div class="card__section">

2
docs/snyk/v2.11.12/haproxy_2.6.14-alpine.html
View file

@ -456,7 +456,7 @@
<div class="header-wrap">
<h1 class="project__header__title">Snyk test report</h1>
<p class="timestamp">December 8th 2024, 12:28:32 am (UTC+00:00)</p>
<p class="timestamp">December 15th 2024, 12:29:27 am (UTC+00:00)</p>
</div>
<div class="source-panel">
<span>Scanned the following path:</span>

83
docs/snyk/v2.11.12/quay.io_argoproj_argocd_v2.11.12.html
View file

@ -7,7 +7,7 @@
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<title>Snyk test report</title>
<meta name="description" content="37 known vulnerabilities found in 209 vulnerable dependency paths.">
<meta name="description" content="38 known vulnerabilities found in 210 vulnerable dependency paths.">
<base target="_blank">
<link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
sizes="194x194">
@ -456,7 +456,7 @@
<div class="header-wrap">
<h1 class="project__header__title">Snyk test report</h1>
<p class="timestamp">December 8th 2024, 12:28:51 am (UTC+00:00)</p>
<p class="timestamp">December 15th 2024, 12:29:45 am (UTC+00:00)</p>
</div>
<div class="source-panel">
<span>Scanned the following paths:</span>
@ -470,8 +470,8 @@
</div>
<div class="meta-counts">
<div class="meta-count"><span>37</span> <span>known vulnerabilities</span></div>
<div class="meta-count"><span>209 vulnerable dependency paths</span></div>
<div class="meta-count"><span>38</span> <span>known vulnerabilities</span></div>
<div class="meta-count"><span>210 vulnerable dependency paths</span></div>
<div class="meta-count"><span>2280</span> <span>dependencies</span></div>
</div><!-- .meta-counts -->
</div><!-- .layout-container--short -->
@ -480,6 +480,80 @@
<div class="layout-container" style="padding-top: 35px;">
<div class="cards--vuln filter--patch filter--ignore">
<div class="card card--vuln disclosure--not-new severity--critical" data-snyk-test="critical">
<h2 class="card__title">Incorrect Implementation of Authentication Algorithm</h2>
<div class="card__section">
<div class="label label--critical">
<span class="label__text">critical severity</span>
</div>
<hr/>
<ul class="card__meta">
<li class="card__meta__item">
Manifest file: quay.io/argoproj/argocd:v2.11.12/argoproj/argo-cd/v2 <span class="list-paths__item__arrow"></span> /usr/local/bin/argocd
</li>
<li class="card__meta__item">
Package Manager: golang
</li>
<li class="card__meta__item">
Vulnerable module:
golang.org/x/crypto/ssh
</li>
<li class="card__meta__item">Introduced through:
github.com/argoproj/argo-cd/v2@* and golang.org/x/crypto/ssh@v0.19.0
</li>
</ul>
<hr/>
<h3 class="card__section__title">Detailed paths</h3>
<ul class="card__meta__paths">
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@*
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@v0.19.0
</span>
</li>
</ul><!-- .list-paths -->
</div><!-- .card__section -->
<hr/>
<!-- Overview -->
<h2 id="overview">Overview</h2>
<p><a href="https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc">golang.org/x/crypto/ssh</a> is a SSH client and server</p>
<p>Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm when the key passed in the last call before a connection is established is assumed to be the key used for authentication. It is not necessarily the authentication key in use, and this allows attackers who can control the key cache by making their own carefully-timed connections to bypass authorization with subsequent legitimate <code>ServerConfig.PublicKeyCallback</code> callbacks.</p>
<p><strong>Note:</strong> The assumed caching behavior of this callback is not documented and is therefore considered human error, but the project maintainers have observed reliance on it for authorization decisions in production. In fact, the assumption is negated in the documentation, which states &quot;A call to this function does not guarantee that the key offered is in fact used to authenticate.&quot; The behavior after upgrading still allows the possibility of an attacker forcing their own key to be the one in the cache when the callback is invoked if the client is using a different authentication method such as <code>PasswordCallback</code>, <code>KeyboardInteractiveCallback</code>, or <code>NoClientAuth</code>. It is therefore recommended to rely on the return values of the connection itself, found in <code>ServerConn.Permissions</code> for further authorization steps.</p>
<h2 id="remediation">Remediation</h2>
<p>Upgrade <code>golang.org/x/crypto/ssh</code> to version 0.31.0 or higher.</p>
<h2 id="references">References</h2>
<ul>
<li><a href="https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909">GitHub Commit</a></li>
<li><a href="https://github.com/golang/go/issues/20094">GitHub Issue</a></li>
<li><a href="https://go.dev/cl/635315">go.dev Commit</a></li>
<li><a href="https://go.dev/issue/70779">go.dev Issue</a></li>
<li><a href="https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ">Google Groups Forum</a></li>
<li><a href="https://pkg.go.dev/vuln/GO-2024-3321">Go Vulnerability Database</a></li>
</ul>
<hr/>
<div class="cta card__cta">
<p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-8496611">More about this vulnerability</a></p>
</div>
</div><!-- .card -->
<div class="card card--vuln disclosure--not-new severity--high" data-snyk-test="high">
<h2 class="card__title">Denial of Service (DoS)</h2>
<div class="card__section">
@ -5191,6 +5265,7 @@
<li><a href="https://curl.se/docs/CVE-2024-9681.json">https://curl.se/docs/CVE-2024-9681.json</a></li>
<li><a href="https://hackerone.com/reports/2764830">https://hackerone.com/reports/2764830</a></li>
<li><a href="http://www.openwall.com/lists/oss-security/2024/11/06/2">http://www.openwall.com/lists/oss-security/2024/11/06/2</a></li>
<li><a href="https://security.netapp.com/advisory/ntap-20241213-0006/">https://security.netapp.com/advisory/ntap-20241213-0006/</a></li>
</ul>
<hr/>

2
docs/snyk/v2.11.12/redis_7.0.15-alpine.html
View file

@ -456,7 +456,7 @@
<div class="header-wrap">
<h1 class="project__header__title">Snyk test report</h1>
<p class="timestamp">December 8th 2024, 12:28:55 am (UTC+00:00)</p>
<p class="timestamp">December 15th 2024, 12:29:49 am (UTC+00:00)</p>
</div>
<div class="source-panel">
<span>Scanned the following paths:</span>

2
docs/snyk/v2.12.7/argocd-iac-install.html → docs/snyk/v2.12.8/argocd-iac-install.html
View file

@ -456,7 +456,7 @@
<div class="header-wrap">
<h1 class="project__header__title">Snyk test report</h1>
<p class="timestamp">December 8th 2024, 12:27:55 am (UTC+00:00)</p>
<p class="timestamp">December 15th 2024, 12:28:50 am (UTC+00:00)</p>
</div>
<div class="source-panel">
<span>Scanned the following path:</span>

2
docs/snyk/v2.12.7/argocd-iac-namespace-install.html → docs/snyk/v2.12.8/argocd-iac-namespace-install.html
View file

@ -456,7 +456,7 @@
<div class="header-wrap">
<h1 class="project__header__title">Snyk test report</h1>
<p class="timestamp">December 8th 2024, 12:28:04 am (UTC+00:00)</p>
<p class="timestamp">December 15th 2024, 12:28:59 am (UTC+00:00)</p>
</div>
<div class="source-panel">
<span>Scanned the following path:</span>

456
docs/snyk/v2.13.1/argocd-test.html → docs/snyk/v2.12.8/argocd-test.html
View file

@ -7,7 +7,7 @@
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<title>Snyk test report</title>
<meta name="description" content="10 known vulnerabilities found in 36 vulnerable dependency paths.">
<meta name="description" content="12 known vulnerabilities found in 54 vulnerable dependency paths.">
<base target="_blank">
<link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
sizes="194x194">
@ -456,7 +456,7 @@
<div class="header-wrap">
<h1 class="project__header__title">Snyk test report</h1>
<p class="timestamp">December 8th 2024, 12:23:27 am (UTC+00:00)</p>
<p class="timestamp">December 15th 2024, 12:26:45 am (UTC+00:00)</p>
</div>
<div class="source-panel">
<span>Scanned the following paths:</span>
@ -467,9 +467,9 @@
</div>
<div class="meta-counts">
<div class="meta-count"><span>10</span> <span>known vulnerabilities</span></div>
<div class="meta-count"><span>36 vulnerable dependency paths</span></div>
<div class="meta-count"><span>2131</span> <span>dependencies</span></div>
<div class="meta-count"><span>12</span> <span>known vulnerabilities</span></div>
<div class="meta-count"><span>54 vulnerable dependency paths</span></div>
<div class="meta-count"><span>2061</span> <span>dependencies</span></div>
</div><!-- .meta-counts -->
</div><!-- .layout-container--short -->
</header><!-- .project__header -->
@ -477,6 +477,314 @@
<div class="layout-container" style="padding-top: 35px;">
<div class="cards--vuln filter--patch filter--ignore">
<div class="card card--vuln disclosure--not-new severity--critical" data-snyk-test="critical">
<h2 class="card__title">Incorrect Implementation of Authentication Algorithm</h2>
<div class="card__section">
<div class="label label--critical">
<span class="label__text">critical severity</span>
</div>
<hr/>
<ul class="card__meta">
<li class="card__meta__item">
Manifest file: /argo-cd/argoproj/argo-cd/v2 <span class="list-paths__item__arrow"></span> go.mod
</li>
<li class="card__meta__item">
Package Manager: golang
</li>
<li class="card__meta__item">
Vulnerable module:
golang.org/x/crypto/ssh
</li>
<li class="card__meta__item">Introduced through:
github.com/argoproj/argo-cd/v2@0.0.0 and golang.org/x/crypto/ssh@0.23.0
</li>
</ul>
<hr/>
<h3 class="card__section__title">Detailed paths</h3>
<ul class="card__meta__paths">
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.23.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
code.gitea.io/sdk/gitea@0.18.0
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.23.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh/knownhosts@0.23.0
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.23.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.23.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
code.gitea.io/sdk/gitea@0.18.0
<span class="list-paths__item__arrow"></span>
github.com/go-fed/httpsig@1.1.0
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.23.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
<span class="list-paths__item__arrow"></span>
github.com/skeema/knownhosts@1.2.2
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.23.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
code.gitea.io/sdk/gitea@0.18.0
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh/agent@0.23.0
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.23.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.23.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
<span class="list-paths__item__arrow"></span>
github.com/xanzy/ssh-agent@0.3.3
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh/agent@0.23.0
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.23.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
<span class="list-paths__item__arrow"></span>
github.com/skeema/knownhosts@1.2.2
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh/knownhosts@0.23.0
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.23.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
<span class="list-paths__item__arrow"></span>
github.com/skeema/knownhosts@1.2.2
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.23.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5@5.12.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.23.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
<span class="list-paths__item__arrow"></span>
github.com/xanzy/ssh-agent@0.3.3
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh/agent@0.23.0
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.23.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
<span class="list-paths__item__arrow"></span>
github.com/skeema/knownhosts@1.2.2
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh/knownhosts@0.23.0
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.23.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5@5.12.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
<span class="list-paths__item__arrow"></span>
github.com/skeema/knownhosts@1.2.2
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.23.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5@5.12.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
<span class="list-paths__item__arrow"></span>
github.com/xanzy/ssh-agent@0.3.3
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh/agent@0.23.0
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.23.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5@5.12.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
<span class="list-paths__item__arrow"></span>
github.com/skeema/knownhosts@1.2.2
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh/knownhosts@0.23.0
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.23.0
</span>
</li>
</ul><!-- .list-paths -->
</div><!-- .card__section -->
<hr/>
<!-- Overview -->
<h2 id="overview">Overview</h2>
<p><a href="https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc">golang.org/x/crypto/ssh</a> is a SSH client and server</p>
<p>Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm when the key passed in the last call before a connection is established is assumed to be the key used for authentication. It is not necessarily the authentication key in use, and this allows attackers who can control the key cache by making their own carefully-timed connections to bypass authorization with subsequent legitimate <code>ServerConfig.PublicKeyCallback</code> callbacks.</p>
<p><strong>Note:</strong> The assumed caching behavior of this callback is not documented and is therefore considered human error, but the project maintainers have observed reliance on it for authorization decisions in production. In fact, the assumption is negated in the documentation, which states &quot;A call to this function does not guarantee that the key offered is in fact used to authenticate.&quot; The behavior after upgrading still allows the possibility of an attacker forcing their own key to be the one in the cache when the callback is invoked if the client is using a different authentication method such as <code>PasswordCallback</code>, <code>KeyboardInteractiveCallback</code>, or <code>NoClientAuth</code>. It is therefore recommended to rely on the return values of the connection itself, found in <code>ServerConn.Permissions</code> for further authorization steps.</p>
<h2 id="remediation">Remediation</h2>
<p>Upgrade <code>golang.org/x/crypto/ssh</code> to version 0.31.0 or higher.</p>
<h2 id="references">References</h2>
<ul>
<li><a href="https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909">GitHub Commit</a></li>
<li><a href="https://github.com/golang/go/issues/20094">GitHub Issue</a></li>
<li><a href="https://go.dev/cl/635315">go.dev Commit</a></li>
<li><a href="https://go.dev/issue/70779">go.dev Issue</a></li>
<li><a href="https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ">Google Groups Forum</a></li>
<li><a href="https://pkg.go.dev/vuln/GO-2024-3321">Go Vulnerability Database</a></li>
</ul>
<hr/>
<div class="cta card__cta">
<p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-8496611">More about this vulnerability</a></p>
</div>
</div><!-- .card -->
<div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium">
<h2 class="card__title">LGPL-3.0 license</h2>
<div class="card__section">
@ -538,6 +846,118 @@
<p><a href="https://snyk.io/vuln/snyk:lic:golang:gopkg.in:retry.v1:LGPL-3.0">More about this vulnerability</a></p>
</div>
</div><!-- .card -->
<div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium">
<h2 class="card__title">Denial of Service (DoS)</h2>
<div class="card__section">
<div class="label label--medium">
<span class="label__text">medium severity</span>
</div>
<hr/>
<ul class="card__meta">
<li class="card__meta__item">
Manifest file: /argo-cd/argoproj/argo-cd/v2 <span class="list-paths__item__arrow"></span> go.mod
</li>
<li class="card__meta__item">
Package Manager: golang
</li>
<li class="card__meta__item">
Vulnerable module:
github.com/rs/cors
</li>
<li class="card__meta__item">Introduced through:
github.com/argoproj/argo-cd/v2@0.0.0, github.com/improbable-eng/grpc-web/go/grpcweb@0.15.0 and others
</li>
</ul>
<hr/>
<h3 class="card__section__title">Detailed paths</h3>
<ul class="card__meta__paths">
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/improbable-eng/grpc-web/go/grpcweb@0.15.0
<span class="list-paths__item__arrow"></span>
github.com/rs/cors@1.9.0
</span>
</li>
</ul><!-- .list-paths -->
</div><!-- .card__section -->
<hr/>
<!-- Overview -->
<h2 id="overview">Overview</h2>
<p>Affected versions of this package are vulnerable to Denial of Service (DoS) through the processing of malicious preflight requests that include a <code>Access-Control-Request-Headers</code> header with excessive commas. An attacker can induce excessive memory consumption and potentially crash the server by sending specially crafted requests.</p>
<h2 id="poc">PoC</h2>
<pre><code class="language-golang">
func BenchmarkPreflightAdversarialACRH(b *testing.B) {
resps := makeFakeResponses(b.N)
req, _ := http.NewRequest(http.MethodOptions, dummyEndpoint, nil)
req.Header.Add(headerOrigin, dummyOrigin)
req.Header.Add(headerACRM, http.MethodGet)
req.Header[headerACRH] = adversarialACRH
handler := Default().Handler(testHandler)
b.ReportAllocs()
b.ResetTimer()
for i := 0; i &lt; b.N; i++ {
handler.ServeHTTP(resps[i], req)
}
}
var adversarialACRH []string
func init() { // populates adversarialACRH
n := int(math.Floor(math.Sqrt(http.DefaultMaxHeaderBytes)))
commas := strings.Repeat(&quot;,&quot;, n)
res := make([]string, n)
for i := range res {
res[i] = commas
}
adversarialACRH = res
}
</code></pre>
<h2 id="details">Details</h2>
<p>Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.</p>
<p>Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.</p>
<p>One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.</p>
<p>When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.</p>
<p>Two common types of DoS vulnerabilities:</p>
<ul>
<li><p>High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, <a href="https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082">commons-fileupload:commons-fileupload</a>.</p>
</li>
<li><p>Crash - An attacker sending crafted requests that could cause the system to crash. For Example, <a href="https://snyk.io/vuln/npm:ws:20171108">npm <code>ws</code> package</a></p>
</li>
</ul>
<h2 id="remediation">Remediation</h2>
<p>Upgrade <code>github.com/rs/cors</code> to version 1.11.0 or higher.</p>
<h2 id="references">References</h2>
<ul>
<li><a href="https://github.com/rs/cors/commit/4c32059b2756926619f6bf70281b91be7b5dddb2">GitHub Commit</a></li>
<li><a href="https://github.com/rs/cors/issues/170">GitHub Issue</a></li>
<li><a href="https://github.com/rs/cors/pull/171">GitHub PR</a></li>
</ul>
<hr/>
<div class="cta card__cta">
<p><a href="https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMRSCORS-7430192">More about this vulnerability</a></p>
</div>
</div><!-- .card -->
<div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium">
<h2 class="card__title">MPL-2.0 license</h2>
@ -625,7 +1045,7 @@
<li class="card__meta__item">Introduced through:
github.com/argoproj/argo-cd/v2@0.0.0, code.gitea.io/sdk/gitea@0.19.0 and others
github.com/argoproj/argo-cd/v2@0.0.0, code.gitea.io/sdk/gitea@0.18.0 and others
</li>
</ul>
@ -639,7 +1059,7 @@
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
code.gitea.io/sdk/gitea@0.19.0
code.gitea.io/sdk/gitea@0.18.0
<span class="list-paths__item__arrow"></span>
github.com/hashicorp/go-version@1.6.0
@ -721,7 +1141,7 @@
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/xanzy/go-gitlab@0.109.0
github.com/xanzy/go-gitlab@0.91.1
<span class="list-paths__item__arrow"></span>
github.com/hashicorp/go-retryablehttp@0.7.7
@ -927,7 +1347,7 @@
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/xanzy/go-gitlab@0.109.0
github.com/xanzy/go-gitlab@0.91.1
<span class="list-paths__item__arrow"></span>
github.com/hashicorp/go-cleanhttp@0.5.2
@ -938,7 +1358,7 @@
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/xanzy/go-gitlab@0.109.0
github.com/xanzy/go-gitlab@0.91.1
<span class="list-paths__item__arrow"></span>
github.com/hashicorp/go-retryablehttp@0.7.7
<span class="list-paths__item__arrow"></span>
@ -1074,7 +1494,7 @@
<li class="card__meta__item">Introduced through:
github.com/argoproj/argo-cd/v2@0.0.0 and github.com/gosimple/slug@1.14.0
github.com/argoproj/argo-cd/v2@0.0.0 and github.com/gosimple/slug@1.13.1
</li>
</ul>
@ -1089,7 +1509,7 @@
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/gosimple/slug@1.14.0
github.com/gosimple/slug@1.13.1
</span>
@ -1394,7 +1814,7 @@
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/bradleyfalzon/ghinstallation/v2@2.11.0
github.com/bradleyfalzon/ghinstallation/v2@2.6.0
<span class="list-paths__item__arrow"></span>
github.com/golang-jwt/jwt/v4@4.5.0
@ -1407,7 +1827,7 @@
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/services@#0802cd427621
<span class="list-paths__item__arrow"></span>
github.com/bradleyfalzon/ghinstallation/v2@2.11.0
github.com/bradleyfalzon/ghinstallation/v2@2.6.0
<span class="list-paths__item__arrow"></span>
github.com/golang-jwt/jwt/v4@4.5.0
@ -1422,7 +1842,7 @@
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/services@#0802cd427621
<span class="list-paths__item__arrow"></span>
github.com/bradleyfalzon/ghinstallation/v2@2.11.0
github.com/bradleyfalzon/ghinstallation/v2@2.6.0
<span class="list-paths__item__arrow"></span>
github.com/golang-jwt/jwt/v4@4.5.0
@ -1437,7 +1857,7 @@
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/services@#0802cd427621
<span class="list-paths__item__arrow"></span>
github.com/bradleyfalzon/ghinstallation/v2@2.11.0
github.com/bradleyfalzon/ghinstallation/v2@2.6.0
<span class="list-paths__item__arrow"></span>
github.com/golang-jwt/jwt/v4@4.5.0
@ -1471,7 +1891,7 @@
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/services@#0802cd427621
<span class="list-paths__item__arrow"></span>
github.com/bradleyfalzon/ghinstallation/v2@2.11.0
github.com/bradleyfalzon/ghinstallation/v2@2.6.0
<span class="list-paths__item__arrow"></span>
github.com/golang-jwt/jwt/v4@4.5.0
@ -1488,7 +1908,7 @@
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/services@#0802cd427621
<span class="list-paths__item__arrow"></span>
github.com/bradleyfalzon/ghinstallation/v2@2.11.0
github.com/bradleyfalzon/ghinstallation/v2@2.6.0
<span class="list-paths__item__arrow"></span>
github.com/golang-jwt/jwt/v4@4.5.0

82
docs/snyk/v2.12.7/ghcr.io_dexidp_dex_v2.38.0.html → docs/snyk/v2.12.8/ghcr.io_dexidp_dex_v2.38.0.html
View file

@ -7,7 +7,7 @@
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<title>Snyk test report</title>
<meta name="description" content="41 known vulnerabilities found in 129 vulnerable dependency paths.">
<meta name="description" content="42 known vulnerabilities found in 130 vulnerable dependency paths.">
<base target="_blank">
<link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
sizes="194x194">
@ -456,7 +456,7 @@
<div class="header-wrap">
<h1 class="project__header__title">Snyk test report</h1>
<p class="timestamp">December 8th 2024, 12:26:04 am (UTC+00:00)</p>
<p class="timestamp">December 15th 2024, 12:26:55 am (UTC+00:00)</p>
</div>
<div class="source-panel">
<span>Scanned the following paths:</span>
@ -469,8 +469,8 @@
</div>
<div class="meta-counts">
<div class="meta-count"><span>41</span> <span>known vulnerabilities</span></div>
<div class="meta-count"><span>129 vulnerable dependency paths</span></div>
<div class="meta-count"><span>42</span> <span>known vulnerabilities</span></div>
<div class="meta-count"><span>130 vulnerable dependency paths</span></div>
<div class="meta-count"><span>829</span> <span>dependencies</span></div>
</div><!-- .meta-counts -->
</div><!-- .layout-container--short -->
@ -479,6 +479,80 @@
<div class="layout-container" style="padding-top: 35px;">
<div class="cards--vuln filter--patch filter--ignore">
<div class="card card--vuln disclosure--not-new severity--critical" data-snyk-test="critical">
<h2 class="card__title">Incorrect Implementation of Authentication Algorithm</h2>
<div class="card__section">
<div class="label label--critical">
<span class="label__text">critical severity</span>
</div>
<hr/>
<ul class="card__meta">
<li class="card__meta__item">
Manifest file: ghcr.io/dexidp/dex:v2.38.0/hairyhenderson/gomplate/v3 <span class="list-paths__item__arrow"></span> /usr/local/bin/gomplate
</li>
<li class="card__meta__item">
Package Manager: golang
</li>
<li class="card__meta__item">
Vulnerable module:
golang.org/x/crypto/ssh
</li>
<li class="card__meta__item">Introduced through:
github.com/hairyhenderson/gomplate/v3@* and golang.org/x/crypto/ssh@v0.18.0
</li>
</ul>
<hr/>
<h3 class="card__section__title">Detailed paths</h3>
<ul class="card__meta__paths">
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/hairyhenderson/gomplate/v3@*
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@v0.18.0
</span>
</li>
</ul><!-- .list-paths -->
</div><!-- .card__section -->
<hr/>
<!-- Overview -->
<h2 id="overview">Overview</h2>
<p><a href="https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc">golang.org/x/crypto/ssh</a> is a SSH client and server</p>
<p>Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm when the key passed in the last call before a connection is established is assumed to be the key used for authentication. It is not necessarily the authentication key in use, and this allows attackers who can control the key cache by making their own carefully-timed connections to bypass authorization with subsequent legitimate <code>ServerConfig.PublicKeyCallback</code> callbacks.</p>
<p><strong>Note:</strong> The assumed caching behavior of this callback is not documented and is therefore considered human error, but the project maintainers have observed reliance on it for authorization decisions in production. In fact, the assumption is negated in the documentation, which states &quot;A call to this function does not guarantee that the key offered is in fact used to authenticate.&quot; The behavior after upgrading still allows the possibility of an attacker forcing their own key to be the one in the cache when the callback is invoked if the client is using a different authentication method such as <code>PasswordCallback</code>, <code>KeyboardInteractiveCallback</code>, or <code>NoClientAuth</code>. It is therefore recommended to rely on the return values of the connection itself, found in <code>ServerConn.Permissions</code> for further authorization steps.</p>
<h2 id="remediation">Remediation</h2>
<p>Upgrade <code>golang.org/x/crypto/ssh</code> to version 0.31.0 or higher.</p>
<h2 id="references">References</h2>
<ul>
<li><a href="https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909">GitHub Commit</a></li>
<li><a href="https://github.com/golang/go/issues/20094">GitHub Issue</a></li>
<li><a href="https://go.dev/cl/635315">go.dev Commit</a></li>
<li><a href="https://go.dev/issue/70779">go.dev Issue</a></li>
<li><a href="https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ">Google Groups Forum</a></li>
<li><a href="https://pkg.go.dev/vuln/GO-2024-3321">Go Vulnerability Database</a></li>
</ul>
<hr/>
<div class="cta card__cta">
<p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-8496611">More about this vulnerability</a></p>
</div>
</div><!-- .card -->
<div class="card card--vuln disclosure--not-new severity--high" data-snyk-test="high">
<h2 class="card__title">Allocation of Resources Without Limits or Throttling</h2>
<div class="card__section">

2
docs/snyk/v2.13.1/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html → docs/snyk/v2.12.8/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html
View file

@ -456,7 +456,7 @@
<div class="header-wrap">
<h1 class="project__header__title">Snyk test report</h1>
<p class="timestamp">December 8th 2024, 12:23:37 am (UTC+00:00)</p>
<p class="timestamp">December 15th 2024, 12:26:58 am (UTC+00:00)</p>
</div>
<div class="source-panel">
<span>Scanned the following path:</span>

2
docs/snyk/v2.12.7/public.ecr.aws_docker_library_redis_7.0.15-alpine.html → docs/snyk/v2.12.8/public.ecr.aws_docker_library_redis_7.0.15-alpine.html
View file

@ -456,7 +456,7 @@
<div class="header-wrap">
<h1 class="project__header__title">Snyk test report</h1>
<p class="timestamp">December 8th 2024, 12:26:12 am (UTC+00:00)</p>
<p class="timestamp">December 15th 2024, 12:27:03 am (UTC+00:00)</p>
</div>
<div class="source-panel">
<span>Scanned the following paths:</span>

630
docs/snyk/v2.12.7/quay.io_argoproj_argocd_v2.12.7.html → docs/snyk/v2.12.8/quay.io_argoproj_argocd_v2.12.8.html
View file

File diff suppressed because it is too large Load diff

2
docs/snyk/v2.12.7/redis_7.0.15-alpine.html → docs/snyk/v2.12.8/redis_7.0.15-alpine.html
View file

@ -456,7 +456,7 @@
<div class="header-wrap">
<h1 class="project__header__title">Snyk test report</h1>
<p class="timestamp">December 8th 2024, 12:26:35 am (UTC+00:00)</p>
<p class="timestamp">December 15th 2024, 12:27:27 am (UTC+00:00)</p>
</div>
<div class="source-panel">
<span>Scanned the following paths:</span>

74
docs/snyk/v2.13.1/argocd-iac-install.html → docs/snyk/v2.13.2/argocd-iac-install.html
View file

@ -456,7 +456,7 @@
<div class="header-wrap">
<h1 class="project__header__title">Snyk test report</h1>
<p class="timestamp">December 8th 2024, 12:25:26 am (UTC+00:00)</p>
<p class="timestamp">December 15th 2024, 12:26:19 am (UTC+00:00)</p>
</div>
<div class="source-panel">
<span>Scanned the following path:</span>
@ -881,7 +881,7 @@
</li>
<li class="card__meta__item">
Line number: 23359
Line number: 23358
</li>
</ul>
@ -933,7 +933,7 @@
</li>
<li class="card__meta__item">
Line number: 23658
Line number: 23657
</li>
</ul>
@ -991,7 +991,7 @@
</li>
<li class="card__meta__item">
Line number: 22896
Line number: 22895
</li>
</ul>
@ -1049,7 +1049,7 @@
</li>
<li class="card__meta__item">
Line number: 23165
Line number: 23164
</li>
</ul>
@ -1107,7 +1107,7 @@
</li>
<li class="card__meta__item">
Line number: 23119
Line number: 23118
</li>
</ul>
@ -1165,7 +1165,7 @@
</li>
<li class="card__meta__item">
Line number: 23225
Line number: 23224
</li>
</ul>
@ -1223,7 +1223,7 @@
</li>
<li class="card__meta__item">
Line number: 23330
Line number: 23329
</li>
</ul>
@ -1281,7 +1281,7 @@
</li>
<li class="card__meta__item">
Line number: 23354
Line number: 23353
</li>
</ul>
@ -1339,7 +1339,7 @@
</li>
<li class="card__meta__item">
Line number: 23658
Line number: 23657
</li>
</ul>
@ -1397,7 +1397,7 @@
</li>
<li class="card__meta__item">
Line number: 23411
Line number: 23410
</li>
</ul>
@ -1455,7 +1455,7 @@
</li>
<li class="card__meta__item">
Line number: 23743
Line number: 23742
</li>
</ul>
@ -1513,7 +1513,7 @@
</li>
<li class="card__meta__item">
Line number: 24133
Line number: 24132
</li>
</ul>
@ -1565,7 +1565,7 @@
</li>
<li class="card__meta__item">
Line number: 23145
Line number: 23144
</li>
</ul>
@ -1617,7 +1617,7 @@
</li>
<li class="card__meta__item">
Line number: 22896
Line number: 22895
</li>
</ul>
@ -1669,7 +1669,7 @@
</li>
<li class="card__meta__item">
Line number: 23119
Line number: 23118
</li>
</ul>
@ -1721,7 +1721,7 @@
</li>
<li class="card__meta__item">
Line number: 23330
Line number: 23329
</li>
</ul>
@ -1779,7 +1779,7 @@
</li>
<li class="card__meta__item">
Line number: 22896
Line number: 22895
</li>
</ul>
@ -1837,7 +1837,7 @@
</li>
<li class="card__meta__item">
Line number: 23119
Line number: 23118
</li>
</ul>
@ -1895,7 +1895,7 @@
</li>
<li class="card__meta__item">
Line number: 23165
Line number: 23164
</li>
</ul>
@ -1953,7 +1953,7 @@
</li>
<li class="card__meta__item">
Line number: 23225
Line number: 23224
</li>
</ul>
@ -2011,7 +2011,7 @@
</li>
<li class="card__meta__item">
Line number: 23330
Line number: 23329
</li>
</ul>
@ -2069,7 +2069,7 @@
</li>
<li class="card__meta__item">
Line number: 23354
Line number: 23353
</li>
</ul>
@ -2127,7 +2127,7 @@
</li>
<li class="card__meta__item">
Line number: 23658
Line number: 23657
</li>
</ul>
@ -2185,7 +2185,7 @@
</li>
<li class="card__meta__item">
Line number: 23411
Line number: 23410
</li>
</ul>
@ -2243,7 +2243,7 @@
</li>
<li class="card__meta__item">
Line number: 23743
Line number: 23742
</li>
</ul>
@ -2301,7 +2301,7 @@
</li>
<li class="card__meta__item">
Line number: 24133
Line number: 24132
</li>
</ul>
@ -2357,7 +2357,7 @@
</li>
<li class="card__meta__item">
Line number: 23043
Line number: 23042
</li>
</ul>
@ -2413,7 +2413,7 @@
</li>
<li class="card__meta__item">
Line number: 23173
Line number: 23172
</li>
</ul>
@ -2469,7 +2469,7 @@
</li>
<li class="card__meta__item">
Line number: 23148
Line number: 23147
</li>
</ul>
@ -2525,7 +2525,7 @@
</li>
<li class="card__meta__item">
Line number: 23264
Line number: 23263
</li>
</ul>
@ -2581,7 +2581,7 @@
</li>
<li class="card__meta__item">
Line number: 23347
Line number: 23346
</li>
</ul>
@ -2637,7 +2637,7 @@
</li>
<li class="card__meta__item">
Line number: 23361
Line number: 23360
</li>
</ul>
@ -2693,7 +2693,7 @@
</li>
<li class="card__meta__item">
Line number: 23665
Line number: 23664
</li>
</ul>
@ -2749,7 +2749,7 @@
</li>
<li class="card__meta__item">
Line number: 23631
Line number: 23630
</li>
</ul>
@ -2805,7 +2805,7 @@
</li>
<li class="card__meta__item">
Line number: 24034
Line number: 24033
</li>
</ul>
@ -2861,7 +2861,7 @@
</li>
<li class="card__meta__item">
Line number: 24352
Line number: 24351
</li>
</ul>

2
docs/snyk/v2.13.1/argocd-iac-namespace-install.html → docs/snyk/v2.13.2/argocd-iac-namespace-install.html
View file

@ -456,7 +456,7 @@
<div class="header-wrap">
<h1 class="project__header__title">Snyk test report</h1>
<p class="timestamp">December 8th 2024, 12:25:35 am (UTC+00:00)</p>
<p class="timestamp">December 15th 2024, 12:26:29 am (UTC+00:00)</p>
</div>
<div class="source-panel">
<span>Scanned the following path:</span>

454
docs/snyk/v2.12.7/argocd-test.html → docs/snyk/v2.13.2/argocd-test.html
View file

@ -7,7 +7,7 @@
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<title>Snyk test report</title>
<meta name="description" content="11 known vulnerabilities found in 37 vulnerable dependency paths.">
<meta name="description" content="11 known vulnerabilities found in 53 vulnerable dependency paths.">
<base target="_blank">
<link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
sizes="194x194">
@ -456,7 +456,7 @@
<div class="header-wrap">
<h1 class="project__header__title">Snyk test report</h1>
<p class="timestamp">December 8th 2024, 12:25:56 am (UTC+00:00)</p>
<p class="timestamp">December 15th 2024, 12:24:18 am (UTC+00:00)</p>
</div>
<div class="source-panel">
<span>Scanned the following paths:</span>
@ -468,8 +468,8 @@
<div class="meta-counts">
<div class="meta-count"><span>11</span> <span>known vulnerabilities</span></div>
<div class="meta-count"><span>37 vulnerable dependency paths</span></div>
<div class="meta-count"><span>2061</span> <span>dependencies</span></div>
<div class="meta-count"><span>53 vulnerable dependency paths</span></div>
<div class="meta-count"><span>2131</span> <span>dependencies</span></div>
</div><!-- .meta-counts -->
</div><!-- .layout-container--short -->
</header><!-- .project__header -->
@ -477,6 +477,314 @@
<div class="layout-container" style="padding-top: 35px;">
<div class="cards--vuln filter--patch filter--ignore">
<div class="card card--vuln disclosure--not-new severity--critical" data-snyk-test="critical">
<h2 class="card__title">Incorrect Implementation of Authentication Algorithm</h2>
<div class="card__section">
<div class="label label--critical">
<span class="label__text">critical severity</span>
</div>
<hr/>
<ul class="card__meta">
<li class="card__meta__item">
Manifest file: /argo-cd/argoproj/argo-cd/v2 <span class="list-paths__item__arrow"></span> go.mod
</li>
<li class="card__meta__item">
Package Manager: golang
</li>
<li class="card__meta__item">
Vulnerable module:
golang.org/x/crypto/ssh
</li>
<li class="card__meta__item">Introduced through:
github.com/argoproj/argo-cd/v2@0.0.0 and golang.org/x/crypto/ssh@0.27.0
</li>
</ul>
<hr/>
<h3 class="card__section__title">Detailed paths</h3>
<ul class="card__meta__paths">
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.27.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
code.gitea.io/sdk/gitea@0.19.0
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.27.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh/knownhosts@0.27.0
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.27.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.27.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
code.gitea.io/sdk/gitea@0.19.0
<span class="list-paths__item__arrow"></span>
github.com/go-fed/httpsig@1.1.0
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.27.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
<span class="list-paths__item__arrow"></span>
github.com/skeema/knownhosts@1.2.2
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.27.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
code.gitea.io/sdk/gitea@0.19.0
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh/agent@0.27.0
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.27.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.27.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
<span class="list-paths__item__arrow"></span>
github.com/xanzy/ssh-agent@0.3.3
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh/agent@0.27.0
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.27.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
<span class="list-paths__item__arrow"></span>
github.com/skeema/knownhosts@1.2.2
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh/knownhosts@0.27.0
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.27.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
<span class="list-paths__item__arrow"></span>
github.com/skeema/knownhosts@1.2.2
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.27.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5@5.12.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.27.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
<span class="list-paths__item__arrow"></span>
github.com/xanzy/ssh-agent@0.3.3
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh/agent@0.27.0
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.27.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
<span class="list-paths__item__arrow"></span>
github.com/skeema/knownhosts@1.2.2
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh/knownhosts@0.27.0
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.27.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5@5.12.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
<span class="list-paths__item__arrow"></span>
github.com/skeema/knownhosts@1.2.2
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.27.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5@5.12.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
<span class="list-paths__item__arrow"></span>
github.com/xanzy/ssh-agent@0.3.3
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh/agent@0.27.0
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.27.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5@5.12.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
<span class="list-paths__item__arrow"></span>
github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
<span class="list-paths__item__arrow"></span>
github.com/skeema/knownhosts@1.2.2
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh/knownhosts@0.27.0
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@0.27.0
</span>
</li>
</ul><!-- .list-paths -->
</div><!-- .card__section -->
<hr/>
<!-- Overview -->
<h2 id="overview">Overview</h2>
<p><a href="https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc">golang.org/x/crypto/ssh</a> is a SSH client and server</p>
<p>Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm when the key passed in the last call before a connection is established is assumed to be the key used for authentication. It is not necessarily the authentication key in use, and this allows attackers who can control the key cache by making their own carefully-timed connections to bypass authorization with subsequent legitimate <code>ServerConfig.PublicKeyCallback</code> callbacks.</p>
<p><strong>Note:</strong> The assumed caching behavior of this callback is not documented and is therefore considered human error, but the project maintainers have observed reliance on it for authorization decisions in production. In fact, the assumption is negated in the documentation, which states &quot;A call to this function does not guarantee that the key offered is in fact used to authenticate.&quot; The behavior after upgrading still allows the possibility of an attacker forcing their own key to be the one in the cache when the callback is invoked if the client is using a different authentication method such as <code>PasswordCallback</code>, <code>KeyboardInteractiveCallback</code>, or <code>NoClientAuth</code>. It is therefore recommended to rely on the return values of the connection itself, found in <code>ServerConn.Permissions</code> for further authorization steps.</p>
<h2 id="remediation">Remediation</h2>
<p>Upgrade <code>golang.org/x/crypto/ssh</code> to version 0.31.0 or higher.</p>
<h2 id="references">References</h2>
<ul>
<li><a href="https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909">GitHub Commit</a></li>
<li><a href="https://github.com/golang/go/issues/20094">GitHub Issue</a></li>
<li><a href="https://go.dev/cl/635315">go.dev Commit</a></li>
<li><a href="https://go.dev/issue/70779">go.dev Issue</a></li>
<li><a href="https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ">Google Groups Forum</a></li>
<li><a href="https://pkg.go.dev/vuln/GO-2024-3321">Go Vulnerability Database</a></li>
</ul>
<hr/>
<div class="cta card__cta">
<p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-8496611">More about this vulnerability</a></p>
</div>
</div><!-- .card -->
<div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium">
<h2 class="card__title">LGPL-3.0 license</h2>
<div class="card__section">
@ -538,118 +846,6 @@
<p><a href="https://snyk.io/vuln/snyk:lic:golang:gopkg.in:retry.v1:LGPL-3.0">More about this vulnerability</a></p>
</div>
</div><!-- .card -->
<div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium">
<h2 class="card__title">Denial of Service (DoS)</h2>
<div class="card__section">
<div class="label label--medium">
<span class="label__text">medium severity</span>
</div>
<hr/>
<ul class="card__meta">
<li class="card__meta__item">
Manifest file: /argo-cd/argoproj/argo-cd/v2 <span class="list-paths__item__arrow"></span> go.mod
</li>
<li class="card__meta__item">
Package Manager: golang
</li>
<li class="card__meta__item">
Vulnerable module:
github.com/rs/cors
</li>
<li class="card__meta__item">Introduced through:
github.com/argoproj/argo-cd/v2@0.0.0, github.com/improbable-eng/grpc-web/go/grpcweb@0.15.0 and others
</li>
</ul>
<hr/>
<h3 class="card__section__title">Detailed paths</h3>
<ul class="card__meta__paths">
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/improbable-eng/grpc-web/go/grpcweb@0.15.0
<span class="list-paths__item__arrow"></span>
github.com/rs/cors@1.9.0
</span>
</li>
</ul><!-- .list-paths -->
</div><!-- .card__section -->
<hr/>
<!-- Overview -->
<h2 id="overview">Overview</h2>
<p>Affected versions of this package are vulnerable to Denial of Service (DoS) through the processing of malicious preflight requests that include a <code>Access-Control-Request-Headers</code> header with excessive commas. An attacker can induce excessive memory consumption and potentially crash the server by sending specially crafted requests.</p>
<h2 id="poc">PoC</h2>
<pre><code class="language-golang">
func BenchmarkPreflightAdversarialACRH(b *testing.B) {
resps := makeFakeResponses(b.N)
req, _ := http.NewRequest(http.MethodOptions, dummyEndpoint, nil)
req.Header.Add(headerOrigin, dummyOrigin)
req.Header.Add(headerACRM, http.MethodGet)
req.Header[headerACRH] = adversarialACRH
handler := Default().Handler(testHandler)
b.ReportAllocs()
b.ResetTimer()
for i := 0; i &lt; b.N; i++ {
handler.ServeHTTP(resps[i], req)
}
}
var adversarialACRH []string
func init() { // populates adversarialACRH
n := int(math.Floor(math.Sqrt(http.DefaultMaxHeaderBytes)))
commas := strings.Repeat(&quot;,&quot;, n)
res := make([]string, n)
for i := range res {
res[i] = commas
}
adversarialACRH = res
}
</code></pre>
<h2 id="details">Details</h2>
<p>Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.</p>
<p>Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.</p>
<p>One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.</p>
<p>When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.</p>
<p>Two common types of DoS vulnerabilities:</p>
<ul>
<li><p>High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, <a href="https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082">commons-fileupload:commons-fileupload</a>.</p>
</li>
<li><p>Crash - An attacker sending crafted requests that could cause the system to crash. For Example, <a href="https://snyk.io/vuln/npm:ws:20171108">npm <code>ws</code> package</a></p>
</li>
</ul>
<h2 id="remediation">Remediation</h2>
<p>Upgrade <code>github.com/rs/cors</code> to version 1.11.0 or higher.</p>
<h2 id="references">References</h2>
<ul>
<li><a href="https://github.com/rs/cors/commit/4c32059b2756926619f6bf70281b91be7b5dddb2">GitHub Commit</a></li>
<li><a href="https://github.com/rs/cors/issues/170">GitHub Issue</a></li>
<li><a href="https://github.com/rs/cors/pull/171">GitHub PR</a></li>
</ul>
<hr/>
<div class="cta card__cta">
<p><a href="https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMRSCORS-7430192">More about this vulnerability</a></p>
</div>
</div><!-- .card -->
<div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium">
<h2 class="card__title">MPL-2.0 license</h2>
@ -737,7 +933,7 @@
<li class="card__meta__item">Introduced through:
github.com/argoproj/argo-cd/v2@0.0.0, code.gitea.io/sdk/gitea@0.18.0 and others
github.com/argoproj/argo-cd/v2@0.0.0, code.gitea.io/sdk/gitea@0.19.0 and others
</li>
</ul>
@ -751,7 +947,7 @@
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
code.gitea.io/sdk/gitea@0.18.0
code.gitea.io/sdk/gitea@0.19.0
<span class="list-paths__item__arrow"></span>
github.com/hashicorp/go-version@1.6.0
@ -833,7 +1029,7 @@
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/xanzy/go-gitlab@0.91.1
github.com/xanzy/go-gitlab@0.109.0
<span class="list-paths__item__arrow"></span>
github.com/hashicorp/go-retryablehttp@0.7.7
@ -1039,7 +1235,7 @@
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/xanzy/go-gitlab@0.91.1
github.com/xanzy/go-gitlab@0.109.0
<span class="list-paths__item__arrow"></span>
github.com/hashicorp/go-cleanhttp@0.5.2
@ -1050,7 +1246,7 @@
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/xanzy/go-gitlab@0.91.1
github.com/xanzy/go-gitlab@0.109.0
<span class="list-paths__item__arrow"></span>
github.com/hashicorp/go-retryablehttp@0.7.7
<span class="list-paths__item__arrow"></span>
@ -1186,7 +1382,7 @@
<li class="card__meta__item">Introduced through:
github.com/argoproj/argo-cd/v2@0.0.0 and github.com/gosimple/slug@1.13.1
github.com/argoproj/argo-cd/v2@0.0.0 and github.com/gosimple/slug@1.14.0
</li>
</ul>
@ -1201,7 +1397,7 @@
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/gosimple/slug@1.13.1
github.com/gosimple/slug@1.14.0
</span>
@ -1506,7 +1702,7 @@
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/bradleyfalzon/ghinstallation/v2@2.6.0
github.com/bradleyfalzon/ghinstallation/v2@2.11.0
<span class="list-paths__item__arrow"></span>
github.com/golang-jwt/jwt/v4@4.5.0
@ -1519,7 +1715,7 @@
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/services@#0802cd427621
<span class="list-paths__item__arrow"></span>
github.com/bradleyfalzon/ghinstallation/v2@2.6.0
github.com/bradleyfalzon/ghinstallation/v2@2.11.0
<span class="list-paths__item__arrow"></span>
github.com/golang-jwt/jwt/v4@4.5.0
@ -1534,7 +1730,7 @@
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/services@#0802cd427621
<span class="list-paths__item__arrow"></span>
github.com/bradleyfalzon/ghinstallation/v2@2.6.0
github.com/bradleyfalzon/ghinstallation/v2@2.11.0
<span class="list-paths__item__arrow"></span>
github.com/golang-jwt/jwt/v4@4.5.0
@ -1549,7 +1745,7 @@
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/services@#0802cd427621
<span class="list-paths__item__arrow"></span>
github.com/bradleyfalzon/ghinstallation/v2@2.6.0
github.com/bradleyfalzon/ghinstallation/v2@2.11.0
<span class="list-paths__item__arrow"></span>
github.com/golang-jwt/jwt/v4@4.5.0
@ -1583,7 +1779,7 @@
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/services@#0802cd427621
<span class="list-paths__item__arrow"></span>
github.com/bradleyfalzon/ghinstallation/v2@2.6.0
github.com/bradleyfalzon/ghinstallation/v2@2.11.0
<span class="list-paths__item__arrow"></span>
github.com/golang-jwt/jwt/v4@4.5.0
@ -1600,7 +1796,7 @@
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/services@#0802cd427621
<span class="list-paths__item__arrow"></span>
github.com/bradleyfalzon/ghinstallation/v2@2.6.0
github.com/bradleyfalzon/ghinstallation/v2@2.11.0
<span class="list-paths__item__arrow"></span>
github.com/golang-jwt/jwt/v4@4.5.0

82
docs/snyk/v2.13.1/ghcr.io_dexidp_dex_v2.41.1.html → docs/snyk/v2.13.2/ghcr.io_dexidp_dex_v2.41.1.html
View file

@ -7,7 +7,7 @@
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<title>Snyk test report</title>
<meta name="description" content="22 known vulnerabilities found in 43 vulnerable dependency paths.">
<meta name="description" content="23 known vulnerabilities found in 44 vulnerable dependency paths.">
<base target="_blank">
<link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
sizes="194x194">
@ -456,7 +456,7 @@
<div class="header-wrap">
<h1 class="project__header__title">Snyk test report</h1>
<p class="timestamp">December 8th 2024, 12:23:34 am (UTC+00:00)</p>
<p class="timestamp">December 15th 2024, 12:24:25 am (UTC+00:00)</p>
</div>
<div class="source-panel">
<span>Scanned the following paths:</span>
@ -469,8 +469,8 @@
</div>
<div class="meta-counts">
<div class="meta-count"><span>22</span> <span>known vulnerabilities</span></div>
<div class="meta-count"><span>43 vulnerable dependency paths</span></div>
<div class="meta-count"><span>23</span> <span>known vulnerabilities</span></div>
<div class="meta-count"><span>44 vulnerable dependency paths</span></div>
<div class="meta-count"><span>969</span> <span>dependencies</span></div>
</div><!-- .meta-counts -->
</div><!-- .layout-container--short -->
@ -479,6 +479,80 @@
<div class="layout-container" style="padding-top: 35px;">
<div class="cards--vuln filter--patch filter--ignore">
<div class="card card--vuln disclosure--not-new severity--critical" data-snyk-test="critical">
<h2 class="card__title">Incorrect Implementation of Authentication Algorithm</h2>
<div class="card__section">
<div class="label label--critical">
<span class="label__text">critical severity</span>
</div>
<hr/>
<ul class="card__meta">
<li class="card__meta__item">
Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow"></span> /usr/local/bin/gomplate
</li>
<li class="card__meta__item">
Package Manager: golang
</li>
<li class="card__meta__item">
Vulnerable module:
golang.org/x/crypto/ssh
</li>
<li class="card__meta__item">Introduced through:
github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh@v0.24.0
</li>
</ul>
<hr/>
<h3 class="card__section__title">Detailed paths</h3>
<ul class="card__meta__paths">
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/hairyhenderson/gomplate/v4@*
<span class="list-paths__item__arrow"></span>
golang.org/x/crypto/ssh@v0.24.0
</span>
</li>
</ul><!-- .list-paths -->
</div><!-- .card__section -->
<hr/>
<!-- Overview -->
<h2 id="overview">Overview</h2>
<p><a href="https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc">golang.org/x/crypto/ssh</a> is a SSH client and server</p>
<p>Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm when the key passed in the last call before a connection is established is assumed to be the key used for authentication. It is not necessarily the authentication key in use, and this allows attackers who can control the key cache by making their own carefully-timed connections to bypass authorization with subsequent legitimate <code>ServerConfig.PublicKeyCallback</code> callbacks.</p>
<p><strong>Note:</strong> The assumed caching behavior of this callback is not documented and is therefore considered human error, but the project maintainers have observed reliance on it for authorization decisions in production. In fact, the assumption is negated in the documentation, which states &quot;A call to this function does not guarantee that the key offered is in fact used to authenticate.&quot; The behavior after upgrading still allows the possibility of an attacker forcing their own key to be the one in the cache when the callback is invoked if the client is using a different authentication method such as <code>PasswordCallback</code>, <code>KeyboardInteractiveCallback</code>, or <code>NoClientAuth</code>. It is therefore recommended to rely on the return values of the connection itself, found in <code>ServerConn.Permissions</code> for further authorization steps.</p>
<h2 id="remediation">Remediation</h2>
<p>Upgrade <code>golang.org/x/crypto/ssh</code> to version 0.31.0 or higher.</p>
<h2 id="references">References</h2>
<ul>
<li><a href="https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909">GitHub Commit</a></li>
<li><a href="https://github.com/golang/go/issues/20094">GitHub Issue</a></li>
<li><a href="https://go.dev/cl/635315">go.dev Commit</a></li>
<li><a href="https://go.dev/issue/70779">go.dev Issue</a></li>
<li><a href="https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ">Google Groups Forum</a></li>
<li><a href="https://pkg.go.dev/vuln/GO-2024-3321">Go Vulnerability Database</a></li>
</ul>
<hr/>
<div class="cta card__cta">
<p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-8496611">More about this vulnerability</a></p>
</div>
</div><!-- .card -->
<div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium">
<h2 class="card__title">Insertion of Sensitive Information into Log File</h2>
<div class="card__section">

2
docs/snyk/v2.12.7/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html → docs/snyk/v2.13.2/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html
View file

@ -456,7 +456,7 @@
<div class="header-wrap">
<h1 class="project__header__title">Snyk test report</h1>
<p class="timestamp">December 8th 2024, 12:26:08 am (UTC+00:00)</p>
<p class="timestamp">December 15th 2024, 12:24:28 am (UTC+00:00)</p>
</div>
<div class="source-panel">
<span>Scanned the following path:</span>

2
docs/snyk/v2.13.1/public.ecr.aws_docker_library_redis_7.0.15-alpine.html → docs/snyk/v2.13.2/public.ecr.aws_docker_library_redis_7.0.15-alpine.html
View file

@ -456,7 +456,7 @@
<div class="header-wrap">
<h1 class="project__header__title">Snyk test report</h1>
<p class="timestamp">December 8th 2024, 12:23:41 am (UTC+00:00)</p>
<p class="timestamp">December 15th 2024, 12:24:32 am (UTC+00:00)</p>
</div>
<div class="source-panel">
<span>Scanned the following paths:</span>

360
docs/snyk/v2.13.1/quay.io_argoproj_argocd_v2.13.1.html → docs/snyk/v2.13.2/quay.io_argoproj_argocd_v2.13.2.html
View file

File diff suppressed because it is too large Load diff

2
docs/snyk/v2.13.1/redis_7.0.15-alpine.html → docs/snyk/v2.13.2/redis_7.0.15-alpine.html
View file

@ -456,7 +456,7 @@
<div class="header-wrap">
<h1 class="project__header__title">Snyk test report</h1>
<p class="timestamp">December 8th 2024, 12:24:03 am (UTC+00:00)</p>
<p class="timestamp">December 15th 2024, 12:24:54 am (UTC+00:00)</p>
</div>
<div class="source-panel">
<span>Scanned the following paths:</span>