CVE-2024-13484 on argoproj/argocd/v2

[hugocarreira]

Hello team,

I would like to understand, has anyone taken a look at the vulnerability pointed out in go.dev?

I'm a little confused and I believe there may be some incorrect information in Golang's vulndb.

CVE's statement is about the package openshift-gitops-1/argocd-rhel8, which from my understanding is a modified version of ArgoCD made by RedHat.

However, the Vulndb note is affecting the entire ArgoCD project.

Reference:
ArgoCD go.dev page: https://pkg.go.dev/github.com/argoproj/argo-cd/[email protected]
GO Vulndb: https://pkg.go.dev/vuln/GO-2025-3427
Github Advisory Database: GHSA-58fx-7v9q-3g56
CVE Details: https://nvd.nist.gov/vuln/detail/CVE-2024-13484 / https://vulert.com/vuln-db/CVE-2024-13484
RedHat Security: https://access.redhat.com/security/cve/CVE-2024-13484

[todaywasawesome]

Reviewing with RedHat maintainers now. The CVE is very specific to OpenShift's implementation of Argo CD and shouldn't be pointing at Argo CD itself.

[todaywasawesome]

cc: @ishitasequeira @svghadi

[jannfis]

This issue affects only GitOps Operator, not Argo CD. I wonder how it ended up as related to Argo CD.

[jannfis]

We'll have this fixed, sorry for the confusion.

[svghadi]

The CVE description is updated in nvd and redhat database to point to correct package. I have created edit requests for GO Vulndb & Github Advisory Database

• x/vulndb: suggestion regarding GO-2025-3427 golang/vulndb#3464
• [GHSA-58fx-7v9q-3g56] ArgoCD Namespace Isolation Break github/advisory-database#5269