This repository was archived by the owner on Dec 4, 2025. It is now read-only.
This repository was archived by the owner on Dec 4, 2025. It is now read-only.
Additional version affected ranges for GHSA-274v-mgcv-cm8j #736
Description
the above security lists argocd version ranges as affected product, but not his project / go module.
Please consider updating this advisory to include:
0.7.1-0.20250129155113-7e21b91e9d0f as the fixed version
<= 0.7.1-0.20250124211812-d78929e7f6c7 as the affected versions
Because it is tripping up GO vulnerability scanners (Snyk and Twistlock) due to no advisories being published for the argocd 2.14 onwards; and the gitops-engine go module versions have no declared fixed version as above.
The module versions above were generated with go get on the commit that fixes the advisory and the one before it; and matches the module update version that got merged into argocd.
Also see:
- [GHSA-274v-mgcv-cm8j] Argo CD GitOps Engine does not scrub secret values from patch errors github/advisory-database#5689
- [GHSA-274v-mgcv-cm8j] Argo CD GitOps Engine does not scrub secret values from patch errors github/advisory-database#5721
- Improve GHSA-274v-mgcv-cm8j github/advisory-database#5723
- Additional version affected ranges for GHSA-274v-mgcv-cm8j #736
- x/vulndb: suggestion regarding GO-2025-3437 golang/vulndb#3760