Snyk test report
- quay.io/argoproj/argocd:v3.2.0-rc1/argoproj/argocd/Dockerfile (deb)
- quay.io/argoproj/argocd:v3.2.0-rc1/argoproj/argo-cd/v3//usr/local/bin/argocd (gomodules)
- quay.io/argoproj/argocd:v3.2.0-rc1//usr/local/bin/kustomize (gomodules)
- quay.io/argoproj/argocd:v3.2.0-rc1/helm/v3//usr/local/bin/helm (gomodules)
- quay.io/argoproj/argocd:v3.2.0-rc1/git-lfs/git-lfs//usr/bin/git-lfs (gomodules)
Improper Handling of Unexpected Data Type
Detailed paths
Overview
Affected versions of this package are vulnerable to Improper Handling of Unexpected Data Type when functions including List() and SignWithFlags() process *successAgentMsg. This can be triggered by a malicious agent sending a single 0x06 byte (SSH_AGENT_SUCCESS), which is unmarshalled into a *successAgentMsg, causing a panic and client crash.
Details
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.
Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.
One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.
When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.
Two common types of DoS vulnerabilities:
High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm
wspackage
Remediation
A fix was pushed into the master branch but not yet published.
References
Directory Traversal
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream tar package and not the tar package as distributed by Ubuntu.
See How to fix? for Ubuntu:25.04 relevant fixed versions and status.
GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). NOTE: the official GNU Tar manual has an otherwise-empty directory for each "tar xf" in its Security Rules of Thumb; however, third-party advice leads users to run "tar xf" more than once into the same directory.
Remediation
There is no fixed version for Ubuntu:25.04 tar.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-45582
- https://github.com/i900008/vulndb/blob/main/Gnu_tar_vuln.md
- https://www.gnu.org/software/tar/
- https://lists.gnu.org/archive/html/bug-tar/2025-08/msg00012.html
- https://www.gnu.org/software/tar/manual/html_node/Integrity.html
- https://www.gnu.org/software/tar/manual/html_node/Security-rules-of-thumb.html
Out-of-bounds Write
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream pcre2 package and not the pcre2 package as distributed by Ubuntu.
See How to fix? for Ubuntu:25.04 relevant fixed versions and status.
The PCRE2 library is a set of C functions that implement regular expression pattern matching. In version 10.45, a heap-buffer-overflow read vulnerability exists in the PCRE2 regular expression matching engine, specifically within the handling of the (*scs:...) (Scan SubString) verb when combined with (*ACCEPT) in src/pcre2_match.c. This vulnerability may potentially lead to information disclosure if the out-of-bounds data read during the memcmp affects the final match result in a way observable by the attacker. This issue has been resolved in version 10.46.
Remediation
Upgrade Ubuntu:25.04 pcre2 to version 10.45-1ubuntu0.1 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-58050
- https://github.com/PCRE2Project/pcre2/commit/a141712e5967d448c7ce13090ab530c8e3d82254
- https://github.com/PCRE2Project/pcre2/releases/tag/pcre2-10.46
- https://github.com/PCRE2Project/pcre2/security/advisories/GHSA-c2gv-xgf5-5cc2
Directory Traversal
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream pam package and not the pam package as distributed by Ubuntu.
See How to fix? for Ubuntu:25.04 relevant fixed versions and status.
A flaw was found in linux-pam. The pam_namespace module may improperly handle user-controlled paths, allowing local users to exploit symlink attacks and race conditions to elevate their privileges to root. This CVE provides a "complete" fix for CVE-2025-6020.
Remediation
There is no fixed version for Ubuntu:25.04 pam.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-8941
- https://access.redhat.com/security/cve/CVE-2025-8941
- https://bugzilla.redhat.com/show_bug.cgi?id=2388220
- https://access.redhat.com/errata/RHSA-2025:14557
- https://access.redhat.com/errata/RHSA-2025:15100
- https://access.redhat.com/errata/RHSA-2025:15104
- https://access.redhat.com/errata/RHSA-2025:15107
- https://access.redhat.com/errata/RHSA-2025:15099
- https://access.redhat.com/errata/RHSA-2025:15101
- https://access.redhat.com/errata/RHSA-2025:15102
- https://access.redhat.com/errata/RHSA-2025:15103
- https://access.redhat.com/errata/RHSA-2025:15105
- https://access.redhat.com/errata/RHSA-2025:15106
- https://access.redhat.com/errata/RHSA-2025:15709
- https://access.redhat.com/errata/RHSA-2025:15828
- https://access.redhat.com/errata/RHSA-2025:15827
- https://access.redhat.com/errata/RHSA-2025:16524
Improper Authentication
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream pam package and not the pam package as distributed by Ubuntu.
See How to fix? for Ubuntu:25.04 relevant fixed versions and status.
A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals.
Remediation
Upgrade Ubuntu:25.04 pam to version 1.5.3-7ubuntu4.4 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-10963
- https://access.redhat.com/security/cve/CVE-2024-10963
- https://bugzilla.redhat.com/show_bug.cgi?id=2324291
- https://access.redhat.com/errata/RHSA-2024:10232
- https://access.redhat.com/errata/RHSA-2024:10244
- https://access.redhat.com/errata/RHSA-2024:10379
- https://access.redhat.com/errata/RHSA-2024:10518
- https://access.redhat.com/errata/RHSA-2024:10528
- https://access.redhat.com/errata/RHSA-2024:10852
CVE-2025-8058
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu.
See How to fix? for Ubuntu:25.04 relevant fixed versions and status.
The regcomp function in the GNU C library version from 2.4 to 2.41 is subject to a double free if some previous allocation fails. It can be accomplished either by a malloc failure or by using an interposed malloc that injects random malloc failures. The double free can allow buffer manipulation depending of how the regex is constructed. This issue affects all architectures and ABIs supported by the GNU C library.
Remediation
Upgrade Ubuntu:25.04 glibc to version 2.41-6ubuntu1.2 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-8058
- https://sourceware.org/bugzilla/show_bug.cgi?id=33185
- https://sourceware.org/git/?p=glibc.git;a=commit;h=3ff17af18c38727b88d9115e536c069e6b5d601f
Improper Encoding or Escaping of Output
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Ubuntu.
See How to fix? for Ubuntu:25.04 relevant fixed versions and status.
Git is a source code management tool. When cloning from a server (or fetching, or pushing), informational or error messages are transported from the remote Git process to the client via the so-called "sideband channel". These messages will be prefixed with "remote:" and printed directly to the standard error output. Typically, this standard error output is connected to a terminal that understands ANSI escape sequences, which Git did not protect against. Most modern terminals support control sequences that can be used by a malicious actor to hide and misrepresent information, or to mislead the user into executing untrusted scripts. As requested on the git-security mailing list, the patches are under discussion on the public mailing list. Users are advised to update as soon as possible. Users unable to upgrade should avoid recursive clones unless they are from trusted sources.
Remediation
There is no fixed version for Ubuntu:25.04 git.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-52005
- https://github.com/git/git/security/advisories/GHSA-7jjc-gg6m-3329
- https://lore.kernel.org/git/[email protected]
CVE-2024-56433
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream shadow package and not the shadow package as distributed by Ubuntu.
See How to fix? for Ubuntu:25.04 relevant fixed versions and status.
shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid.
Remediation
There is no fixed version for Ubuntu:25.04 shadow.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-56433
- https://github.com/shadow-maint/shadow/blob/e2512d5741d4a44bdd81a8c2d0029b6222728cf0/etc/login.defs#L238-L241
- https://github.com/shadow-maint/shadow/issues/1157
- https://github.com/shadow-maint/shadow/releases/tag/4.4
Double Free
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream patch package and not the patch package as distributed by Ubuntu.
See How to fix? for Ubuntu:25.04 relevant fixed versions and status.
A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6.
Remediation
There is no fixed version for Ubuntu:25.04 patch.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-6952
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6952
- https://security-tracker.debian.org/tracker/CVE-2018-6952
- https://security.gentoo.org/glsa/201904-17
- https://savannah.gnu.org/bugs/index.php?53133
- https://access.redhat.com/errata/RHSA-2019:2033
- http://www.securityfocus.com/bid/103047
Release of Invalid Pointer or Reference
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream patch package and not the patch package as distributed by Ubuntu.
See How to fix? for Ubuntu:25.04 relevant fixed versions and status.
An Invalid Pointer vulnerability exists in GNU patch 2.7 via the another_hunk function, which causes a Denial of Service.
Remediation
There is no fixed version for Ubuntu:25.04 patch.
References
Information Exposure
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream libgcrypt20 package and not the libgcrypt20 package as distributed by Ubuntu.
See How to fix? for Ubuntu:25.04 relevant fixed versions and status.
A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.
Remediation
There is no fixed version for Ubuntu:25.04 libgcrypt20.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-2236
- https://access.redhat.com/errata/RHSA-2024:9404
- https://bugzilla.redhat.com/show_bug.cgi?id=2268268
- https://access.redhat.com/errata/RHSA-2025:3534
- https://access.redhat.com/errata/RHSA-2025:3530
- https://access.redhat.com/security/cve/CVE-2024-2236
- https://bugzilla.redhat.com/show_bug.cgi?id=2245218
Out-of-bounds Write
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream gnupg2 package and not the gnupg2 package as distributed by Ubuntu.
See How to fix? for Ubuntu:25.04 relevant fixed versions and status.
GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.
Remediation
There is no fixed version for Ubuntu:25.04 gnupg2.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-3219
- https://access.redhat.com/security/cve/CVE-2022-3219
- https://bugzilla.redhat.com/show_bug.cgi?id=2127010
- https://dev.gnupg.org/D556
- https://dev.gnupg.org/T5993
- https://marc.info/?l=oss-security&m=165696590211434&w=4
- https://security.netapp.com/advisory/ntap-20230324-0001/
Allocation of Resources Without Limits or Throttling
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu.
See How to fix? for Ubuntu:25.04 relevant fixed versions and status.
sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.
Remediation
There is no fixed version for Ubuntu:25.04 glibc.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-20013
- https://akkadia.org/drepper/SHA-crypt.txt
- https://pthree.org/2018/05/23/do-not-use-sha256crypt-sha512crypt-theyre-dangerous/
- https://twitter.com/solardiz/status/795601240151457793
CVE-2025-6297
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream dpkg package and not the dpkg package as distributed by Ubuntu.
See How to fix? for Ubuntu:25.04 relevant fixed versions and status.
It was discovered that dpkg-deb does not properly sanitize directory permissions when extracting a control member into a temporary directory, which is documented as being a safe operation even on untrusted data. This may result in leaving temporary files behind on cleanup. Given automated and repeated execution of dpkg-deb commands on adversarial .deb packages or with well compressible files, placed inside a directory with permissions not allowing removal by a non-root user, this can end up in a DoS scenario due to causing disk quota exhaustion or disk full conditions.
Remediation
Upgrade Ubuntu:25.04 dpkg to version 1.22.18ubuntu2.2 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-6297
- https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=ed6bbd445dd8800308c67236ba35d08004c98e82
CVE-2025-9086
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu.
See How to fix? for Ubuntu:25.04 relevant fixed versions and status.
- A cookie is set using the
securekeyword forhttps://target - curl is redirected to or otherwise made to speak with
http://target(same hostname, but using clear text HTTP) using the same cookie set - The same cookie name is set - but with just a slash as path (
path='/'). Since this site is not secure, the cookie should just be ignored. - A bug in the path comparison logic makes curl read outside a heap buffer boundary
The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path.
The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay.
Remediation
There is no fixed version for Ubuntu:25.04 curl.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-9086
- https://curl.se/docs/CVE-2025-9086.html
- https://curl.se/docs/CVE-2025-9086.json
- https://hackerone.com/reports/3294999
CVE-2025-10148
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu.
See How to fix? for Ubuntu:25.04 relevant fixed versions and status.
curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection.
A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy.
Remediation
There is no fixed version for Ubuntu:25.04 curl.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-10148
- https://curl.se/docs/CVE-2025-10148.html
- https://curl.se/docs/CVE-2025-10148.json
- https://hackerone.com/reports/3330839
Improper Input Validation
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream coreutils package and not the coreutils package as distributed by Ubuntu.
See How to fix? for Ubuntu:25.04 relevant fixed versions and status.
chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.
Remediation
There is no fixed version for Ubuntu:25.04 coreutils.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-2781
- https://security-tracker.debian.org/tracker/CVE-2016-2781
- https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E
- http://www.openwall.com/lists/oss-security/2016/02/28/2
- http://www.openwall.com/lists/oss-security/2016/02/28/3
- https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E