Snyk - Open Source Security

Snyk test report

May 26th 2024, 12:15:49 am (UTC+00:00)

Scanned the following paths:
  • /argo-cd/argoproj/argo-cd/v2/go.mod (gomodules)
  • /argo-cd/ui/yarn.lock (yarn)
7 known vulnerabilities
25 vulnerable dependency paths
2057 dependencies

LGPL-3.0 license

medium severity
  • Manifest file: /argo-cd/argoproj/argo-cd/v2 go.mod
  • Package Manager: golang
  • Module: gopkg.in/retry.v1
  • Introduced through: github.com/argoproj/argo-cd/v2@0.0.0, github.com/Azure/kubelogin/pkg/token@0.0.20 and others

Detailed paths

  • Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 github.com/Azure/kubelogin/pkg/token@0.0.20 gopkg.in/retry.v1@1.0.3

LGPL-3.0 license

More about this vulnerability

MPL-2.0 license

medium severity
  • Manifest file: /argo-cd/argoproj/argo-cd/v2 go.mod
  • Package Manager: golang
  • Module: github.com/r3labs/diff
  • Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 and github.com/r3labs/diff@1.1.0

Detailed paths

  • Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 github.com/r3labs/diff@1.1.0

MPL-2.0 license

More about this vulnerability

MPL-2.0 license

medium severity
  • Manifest file: /argo-cd/argoproj/argo-cd/v2 go.mod
  • Package Manager: golang
  • Module: github.com/hashicorp/go-version
  • Introduced through: github.com/argoproj/argo-cd/v2@0.0.0, code.gitea.io/sdk/gitea@0.18.0 and others

Detailed paths

  • Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 code.gitea.io/sdk/gitea@0.18.0 github.com/hashicorp/go-version@1.6.0

MPL-2.0 license

More about this vulnerability

MPL-2.0 license

medium severity
  • Manifest file: /argo-cd/argoproj/argo-cd/v2 go.mod
  • Package Manager: golang
  • Module: github.com/hashicorp/go-retryablehttp
  • Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 and github.com/hashicorp/go-retryablehttp@0.7.4

Detailed paths

  • Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 github.com/hashicorp/go-retryablehttp@0.7.4
  • Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 github.com/argoproj/notifications-engine/pkg/services@#f48567108f01 github.com/hashicorp/go-retryablehttp@0.7.4
  • Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 github.com/xanzy/go-gitlab@0.91.1 github.com/hashicorp/go-retryablehttp@0.7.4
  • Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 github.com/argoproj/notifications-engine/pkg/subscriptions@#f48567108f01 github.com/argoproj/notifications-engine/pkg/services@#f48567108f01 github.com/hashicorp/go-retryablehttp@0.7.4
  • Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 github.com/argoproj/notifications-engine/pkg/cmd@#f48567108f01 github.com/argoproj/notifications-engine/pkg/services@#f48567108f01 github.com/hashicorp/go-retryablehttp@0.7.4
  • Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 github.com/argoproj/notifications-engine/pkg/services@#f48567108f01 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.0.5 github.com/hashicorp/go-retryablehttp@0.7.4
  • Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 github.com/argoproj/notifications-engine/pkg/api@#f48567108f01 github.com/argoproj/notifications-engine/pkg/subscriptions@#f48567108f01 github.com/argoproj/notifications-engine/pkg/services@#f48567108f01 github.com/hashicorp/go-retryablehttp@0.7.4
  • Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 github.com/argoproj/notifications-engine/pkg/controller@#f48567108f01 github.com/argoproj/notifications-engine/pkg/subscriptions@#f48567108f01 github.com/argoproj/notifications-engine/pkg/services@#f48567108f01 github.com/hashicorp/go-retryablehttp@0.7.4
  • Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 github.com/argoproj/notifications-engine/pkg/subscriptions@#f48567108f01 github.com/argoproj/notifications-engine/pkg/services@#f48567108f01 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.0.5 github.com/hashicorp/go-retryablehttp@0.7.4
  • Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 github.com/argoproj/notifications-engine/pkg/cmd@#f48567108f01 github.com/argoproj/notifications-engine/pkg/services@#f48567108f01 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.0.5 github.com/hashicorp/go-retryablehttp@0.7.4
  • Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 github.com/argoproj/notifications-engine/pkg/api@#f48567108f01 github.com/argoproj/notifications-engine/pkg/subscriptions@#f48567108f01 github.com/argoproj/notifications-engine/pkg/services@#f48567108f01 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.0.5 github.com/hashicorp/go-retryablehttp@0.7.4
  • Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 github.com/argoproj/notifications-engine/pkg/controller@#f48567108f01 github.com/argoproj/notifications-engine/pkg/subscriptions@#f48567108f01 github.com/argoproj/notifications-engine/pkg/services@#f48567108f01 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.0.5 github.com/hashicorp/go-retryablehttp@0.7.4

MPL-2.0 license

More about this vulnerability

MPL-2.0 license

medium severity
  • Manifest file: /argo-cd/argoproj/argo-cd/v2 go.mod
  • Package Manager: golang
  • Module: github.com/hashicorp/go-cleanhttp
  • Introduced through: github.com/argoproj/argo-cd/v2@0.0.0, github.com/hashicorp/go-retryablehttp@0.7.4 and others

Detailed paths

  • Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 github.com/hashicorp/go-retryablehttp@0.7.4 github.com/hashicorp/go-cleanhttp@0.5.2
  • Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 github.com/xanzy/go-gitlab@0.91.1 github.com/hashicorp/go-cleanhttp@0.5.2
  • Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 github.com/xanzy/go-gitlab@0.91.1 github.com/hashicorp/go-retryablehttp@0.7.4 github.com/hashicorp/go-cleanhttp@0.5.2
  • Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 github.com/argoproj/notifications-engine/pkg/services@#f48567108f01 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.0.5 github.com/hashicorp/go-retryablehttp@0.7.4 github.com/hashicorp/go-cleanhttp@0.5.2
  • Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 github.com/argoproj/notifications-engine/pkg/subscriptions@#f48567108f01 github.com/argoproj/notifications-engine/pkg/services@#f48567108f01 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.0.5 github.com/hashicorp/go-retryablehttp@0.7.4 github.com/hashicorp/go-cleanhttp@0.5.2
  • Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 github.com/argoproj/notifications-engine/pkg/cmd@#f48567108f01 github.com/argoproj/notifications-engine/pkg/services@#f48567108f01 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.0.5 github.com/hashicorp/go-retryablehttp@0.7.4 github.com/hashicorp/go-cleanhttp@0.5.2
  • Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 github.com/argoproj/notifications-engine/pkg/api@#f48567108f01 github.com/argoproj/notifications-engine/pkg/subscriptions@#f48567108f01 github.com/argoproj/notifications-engine/pkg/services@#f48567108f01 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.0.5 github.com/hashicorp/go-retryablehttp@0.7.4 github.com/hashicorp/go-cleanhttp@0.5.2
  • Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 github.com/argoproj/notifications-engine/pkg/controller@#f48567108f01 github.com/argoproj/notifications-engine/pkg/subscriptions@#f48567108f01 github.com/argoproj/notifications-engine/pkg/services@#f48567108f01 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.0.5 github.com/hashicorp/go-retryablehttp@0.7.4 github.com/hashicorp/go-cleanhttp@0.5.2

MPL-2.0 license

More about this vulnerability

MPL-2.0 license

medium severity
  • Manifest file: /argo-cd/argoproj/argo-cd/v2 go.mod
  • Package Manager: golang
  • Module: github.com/gosimple/slug
  • Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 and github.com/gosimple/slug@1.13.1

Detailed paths

  • Introduced through: github.com/argoproj/argo-cd/v2@0.0.0 github.com/gosimple/slug@1.13.1

MPL-2.0 license

More about this vulnerability

Template Injection

medium severity
  • Manifest file: /argo-cd ui/yarn.lock
  • Package Manager: npm
  • Vulnerable module: dompurify
  • Introduced through: argo-cd-ui@1.0.0, redoc@2.0.0-rc.64 and others

Detailed paths

  • Introduced through: argo-cd-ui@1.0.0 redoc@2.0.0-rc.64 dompurify@2.3.6

Overview

dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG.

Affected versions of this package are vulnerable to Template Injection in purify.js, due to inconsistencies in the parsing of XML and HTML tags. Executable code can be injected in HTML inside XML CDATA blocks.

PoC

<![CDATA[ ><img src onerror=alert(1)> ]]>

Remediation

Upgrade dompurify to version 2.4.9, 3.0.11 or higher.

References

More about this vulnerability