Snyk test report
- quay.io/argoproj/argocd:v2.13.8/argoproj/argocd/Dockerfile (deb)
- quay.io/argoproj/argocd:v2.13.8/argoproj/argo-cd/v2//usr/local/bin/argocd (gomodules)
- quay.io/argoproj/argocd:v2.13.8//usr/local/bin/kustomize (gomodules)
- quay.io/argoproj/argocd:v2.13.8/helm/v3//usr/local/bin/helm (gomodules)
- quay.io/argoproj/argocd:v2.13.8/git-lfs/git-lfs//usr/bin/git-lfs (gomodules)
Allocation of Resources Without Limits or Throttling
Detailed paths
Overview
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to improper parsing of malformed tokens which can lead to memory consumption.
Remediation
Upgrade golang.org/x/oauth2/jws to version 0.27.0 or higher.
References
Server-side Request Forgery (SSRF)
Detailed paths
Overview
golang.org/x/net/http/httpproxy is a package for HTTP proxy determination based on environment variables, as provided by net/http's ProxyFromEnvironment function
Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in proxy.go, because hostname matching against proxy patterns may treat an IPv6 zone ID as a hostname component. An environment variable value like *.example.com could be matched to a request intended for [::1%25.example.com]:80.
Remediation
Upgrade golang.org/x/net/http/httpproxy to version 0.36.0 or higher.
References
Denial of Service (DoS)
Detailed paths
Overview
golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.
Affected versions of this package are vulnerable to Denial of Service (DoS) through the functions parseDoctype, htmlIntegrationPoint, inBodyIM and inTableIM due to inefficient usage of the method strings.ToLower combining with the == operator to convert strings to lowercase and then comparing them.
An attacker can cause the application to slow down significantly by crafting inputs that are processed non-linearly.
Details
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.
Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.
One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.
When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.
Two common types of DoS vulnerabilities:
High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm
wspackage
Remediation
Upgrade golang.org/x/net/html to version 0.33.0 or higher.
References
Allocation of Resources Without Limits or Throttling
Detailed paths
Overview
golang.org/x/crypto/ssh is a SSH client and server
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in handshakeTransport in handshake.go. An internal queue gets populated with received packets during the key exchange process, while waiting for the client to send a SSH_MSG_KEXINIT. An attacker can cause the server to become unresponsive to new connections by delaying or withholding this message, or by causing the queue to consume all available memory.
Remediation
Upgrade golang.org/x/crypto/ssh to version 0.35.0 or higher.
References
Directory Traversal
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream tar package and not the tar package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages).
Remediation
There is no fixed version for Ubuntu:24.04 tar.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-45582
- https://github.com/i900008/vulndb/blob/main/Gnu_tar_vuln.md
- https://www.gnu.org/software/tar/
Race Condition
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process.
A SUID binary or process has a special type of permission, which allows the process to run with the file owner's permissions, regardless of the user executing the binary. This allows the process to access more restricted data than unprivileged users or processes would be able to. An attacker can leverage this flaw by forcing a SUID process to crash and force the Linux kernel to recycle the process PID before systemd-coredump can analyze the /proc/pid/auxv file. If the attacker wins the race condition, they gain access to the original's SUID process coredump file. They can read sensitive content loaded into memory by the original binary, affecting data confidentiality.
Remediation
Upgrade Ubuntu:24.04 systemd to version 255.4-1ubuntu8.8 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-4598
- https://access.redhat.com/security/cve/CVE-2025-4598
- https://bugzilla.redhat.com/show_bug.cgi?id=2369242
- https://www.openwall.com/lists/oss-security/2025/05/29/3
- http://www.openwall.com/lists/oss-security/2025/06/05/1
- http://www.openwall.com/lists/oss-security/2025/06/05/3
Directory Traversal
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream pam package and not the pam package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions.
Remediation
Upgrade Ubuntu:24.04 pam to version 1.5.3-5ubuntu5.4 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-6020
- https://access.redhat.com/security/cve/CVE-2025-6020
- https://bugzilla.redhat.com/show_bug.cgi?id=2372512
- http://www.openwall.com/lists/oss-security/2025/06/17/1
- https://access.redhat.com/errata/RHSA-2025:9526
- https://access.redhat.com/errata/RHSA-2025:10024
- https://access.redhat.com/errata/RHSA-2025:10027
- https://access.redhat.com/errata/RHSA-2025:10180
- https://access.redhat.com/errata/RHSA-2025:10354
- https://access.redhat.com/errata/RHSA-2025:10357
- https://access.redhat.com/errata/RHSA-2025:10358
- https://access.redhat.com/errata/RHSA-2025:10359
- https://access.redhat.com/errata/RHSA-2025:10361
- https://access.redhat.com/errata/RHSA-2025:10362
- https://access.redhat.com/errata/RHSA-2025:10735
- https://access.redhat.com/errata/RHSA-2025:10823
- https://access.redhat.com/errata/RHSA-2025:11386
Insecure Storage of Sensitive Information
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream pam package and not the pam package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
A vulnerability was found in PAM. The secret information is stored in memory, where the attacker can trigger the victim program to execute by sending characters to its standard input (stdin). As this occurs, the attacker can train the branch predictor to execute an ROP chain speculatively. This flaw could result in leaked passwords, such as those found in /etc/shadow while performing authentications.
Remediation
There is no fixed version for Ubuntu:24.04 pam.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-10041
- https://access.redhat.com/security/cve/CVE-2024-10041
- https://bugzilla.redhat.com/show_bug.cgi?id=2319212
- https://access.redhat.com/errata/RHSA-2024:9941
- https://access.redhat.com/errata/RHSA-2024:10379
- https://access.redhat.com/errata/RHSA-2024:11250
Improper Authentication
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream pam package and not the pam package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals.
Remediation
There is no fixed version for Ubuntu:24.04 pam.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-10963
- https://access.redhat.com/security/cve/CVE-2024-10963
- https://bugzilla.redhat.com/show_bug.cgi?id=2324291
- https://access.redhat.com/errata/RHSA-2024:10232
- https://access.redhat.com/errata/RHSA-2024:10244
- https://access.redhat.com/errata/RHSA-2024:10379
- https://access.redhat.com/errata/RHSA-2024:10518
- https://access.redhat.com/errata/RHSA-2024:10528
- https://access.redhat.com/errata/RHSA-2024:10852
Out-of-bounds Read
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream libssh package and not the libssh package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
A flaw was found in the libssh library. An out-of-bounds read can be triggered in the sftp_handle function due to an incorrect comparison check that permits the function to access memory beyond the valid handle list and to return an invalid pointer, which is used in further processing. This vulnerability allows an authenticated remote attacker to potentially read unintended memory regions, exposing sensitive information or affect service behavior.
Remediation
Upgrade Ubuntu:24.04 libssh to version 0.10.6-2ubuntu0.1 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-5318
- https://access.redhat.com/security/cve/CVE-2025-5318
- https://bugzilla.redhat.com/show_bug.cgi?id=2369131
- https://www.libssh.org/security/advisories/CVE-2025-5318.txt
Return of Wrong Status Code
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream libssh package and not the libssh package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
A flaw was found in libssh when using the ChaCha20 cipher with the OpenSSL library. If an attacker manages to exhaust the heap space, this error is not detected and may lead to libssh using a partially initialized cipher context. This occurs because the OpenSSL error code returned aliases with the SSH_OK code, resulting in libssh not properly detecting the error returned by the OpenSSL library. This issue can lead to undefined behavior, including compromised data confidentiality and integrity or crashes.
Remediation
Upgrade Ubuntu:24.04 libssh to version 0.10.6-2ubuntu0.1 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-5987
- https://access.redhat.com/security/cve/CVE-2025-5987
- https://bugzilla.redhat.com/show_bug.cgi?id=2376219
Incorrect Calculation
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream libssh package and not the libssh package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
A flaw was found in libssh versions built with OpenSSL versions older than 3.0, specifically in the ssh_kdf() function responsible for key derivation. Due to inconsistent interpretation of return values where OpenSSL uses 0 to indicate failure and libssh uses 0 for success—the function may mistakenly return a success status even when key derivation fails. This results in uninitialized cryptographic key buffers being used in subsequent communication, potentially compromising SSH sessions' confidentiality, integrity, and availability.
Remediation
Upgrade Ubuntu:24.04 libssh to version 0.10.6-2ubuntu0.1 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-5372
- https://access.redhat.com/security/cve/CVE-2025-5372
- https://bugzilla.redhat.com/show_bug.cgi?id=2369388
Double Free
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream libssh package and not the libssh package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
A flaw was found in the key export functionality of libssh. The issue occurs in the internal function responsible for converting cryptographic keys into serialized formats. During error handling, a memory structure is freed but not cleared, leading to a potential double free issue if an additional failure occurs later in the function. This condition may result in heap corruption or application instability in low-memory scenarios, posing a risk to system reliability where key export operations are performed.
Remediation
Upgrade Ubuntu:24.04 libssh to version 0.10.6-2ubuntu0.1 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-5351
- https://access.redhat.com/security/cve/CVE-2025-5351
- https://bugzilla.redhat.com/show_bug.cgi?id=2369367
CVE-2025-4877
Detailed paths
NVD Description
This vulnerability has not been analyzed by NVD yet.
Remediation
Upgrade Ubuntu:24.04 libssh to version 0.10.6-2ubuntu0.1 or higher.
References
CVE-2025-4878
Detailed paths
NVD Description
This vulnerability has not been analyzed by NVD yet.
Remediation
Upgrade Ubuntu:24.04 libssh to version 0.10.6-2ubuntu0.1 or higher.
References
Reversible One-Way Hash
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
A vulnerability in the MIT Kerberos implementation allows GSSAPI-protected messages using RC4-HMAC-MD5 to be spoofed due to weaknesses in the MD5 checksum design. If RC4 is preferred over stronger encryption types, an attacker could exploit MD5 collisions to forge message integrity codes. This may lead to unauthorized message tampering.
Remediation
Upgrade Ubuntu:24.04 krb5 to version 1.20.1-6ubuntu2.6 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-3576
- https://access.redhat.com/security/cve/CVE-2025-3576
- https://bugzilla.redhat.com/show_bug.cgi?id=2359465
- https://lists.debian.org/debian-lts-announce/2025/05/msg00047.html
- https://access.redhat.com/errata/RHSA-2025:8411
- https://access.redhat.com/errata/RHSA-2025:9418
- https://access.redhat.com/errata/RHSA-2025:9430
Improper Validation of Syntactic Correctness of Input
Detailed paths
Overview
golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.
Affected versions of this package are vulnerable to Improper Validation of Syntactic Correctness of Input in the tokenizer in token.go, which incorrectly interprets tags as closing tags, allowing malicious input to be incorrectly processed and the DOM to be corrupted.
Details
Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.
This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.
Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.
Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as < and > can be coded as > in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.
The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.
Types of attacks
There are a few methods by which XSS can be manipulated:
| Type | Origin | Description |
|---|---|---|
| Stored | Server | The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link. |
| Reflected | Server | The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser. |
| DOM-based | Client | The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data. |
| Mutated | The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters. |
Affected environments
The following environments are susceptible to an XSS attack:
- Web servers
- Application servers
- Web application environments
How to prevent
This section describes the top best practices designed to specifically protect your code:
- Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
- Convert special characters such as
?,&,/,<,>and spaces to their respective HTML or URL encoded equivalents. - Give users the option to disable client-side scripts.
- Redirect invalid requests.
- Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
- Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
- Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.
Remediation
Upgrade golang.org/x/net/html to version 0.38.0 or higher.
References
NULL Pointer Dereference
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
A NULL pointer dereference flaw was found in the GnuTLS software in _gnutls_figure_common_ciphersuite().
Remediation
Upgrade Ubuntu:24.04 gnutls28 to version 3.8.3-1.1ubuntu3.4 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-6395
- https://access.redhat.com/security/cve/CVE-2025-6395
- https://bugzilla.redhat.com/show_bug.cgi?id=2376755
Double Free
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLS due to incorrect ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an otherName. If the type-id OID is invalid or malformed, GnuTLS will call asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function or caller later attempts to free the same structure.
This vulnerability can be triggered using only public GnuTLS APIs and may result in denial of service or memory corruption, depending on allocator behavior.
Remediation
There is no fixed version for Ubuntu:24.04 gnutls28.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-32988
- https://access.redhat.com/security/cve/CVE-2025-32988
- https://bugzilla.redhat.com/show_bug.cgi?id=2359622
Heap-based Buffer Overflow
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
A heap-buffer-overflow (off-by-one) flaw was found in the GnuTLS software in the template parsing logic within the certtool utility. When it reads certain settings from a template file, it allows an attacker to cause an out-of-bounds (OOB) NULL pointer write, resulting in memory corruption and a denial-of-service (DoS) that could potentially crash the system.
Remediation
There is no fixed version for Ubuntu:24.04 gnutls28.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-32990
- https://access.redhat.com/security/cve/CVE-2025-32990
- https://bugzilla.redhat.com/show_bug.cgi?id=2359620
Improper Certificate Validation
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
A heap-buffer-overread vulnerability was found in GnuTLS in how it handles the Certificate Transparency (CT) Signed Certificate Timestamp (SCT) extension during X.509 certificate parsing. This flaw allows a malicious user to create a certificate containing a malformed SCT extension (OID 1.3.6.1.4.1.11129.2.4.2) that contains sensitive data. This issue leads to the exposure of confidential information when GnuTLS verifies certificates from certain websites when the certificate (SCT) is not checked correctly.
Remediation
There is no fixed version for Ubuntu:24.04 gnutls28.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-32989
- https://access.redhat.com/security/cve/CVE-2025-32989
- https://bugzilla.redhat.com/show_bug.cgi?id=2359621
CVE-2025-5702
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.
Remediation
There is no fixed version for Ubuntu:24.04 glibc.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-5702
- https://sourceware.org/bugzilla/show_bug.cgi?id=33056
Unexpected Status Code or Return Value
Detailed paths
Overview
Affected versions of this package are vulnerable to Unexpected Status Code or Return Value in initConn(), which causes out of order responses when CLIENT SETINFO times out while establishing a connection.
Workaround
This vulnerability can be avoided by setting DisableIndentity to true when initializing a client.
Remediation
Upgrade github.com/redis/go-redis/v9 to version 9.5.5, 9.6.3, 9.7.2 or higher.
References
Generation of Error Message Containing Sensitive Information
Detailed paths
Overview
Affected versions of this package are vulnerable to Generation of Error Message Containing Sensitive Information when syncing invalid Kubernetes Secret resources. An attacker with write access to the repository can expose secret values by committing an invalid Secret to repository and triggering a Sync, which then become visible to any user with read access to Argo CD.
Remediation
Upgrade github.com/argoproj/gitops-engine/pkg/utils/kube to version 0.7.1-0.20250129155113-7e21b91e9d0f or higher.
References
Generation of Error Message Containing Sensitive Information
Detailed paths
Overview
Affected versions of this package are vulnerable to Generation of Error Message Containing Sensitive Information when syncing invalid Kubernetes Secret resources. An attacker with write access to the repository can expose secret values by committing an invalid Secret to repository and triggering a Sync, which then become visible to any user with read access to Argo CD.
Remediation
Upgrade github.com/argoproj/gitops-engine/pkg/diff to version 0.7.1-0.20250129155113-7e21b91e9d0f or higher.
References
Buffer Overflow
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. The wincred credential helper uses a static buffer (target) as a unique key for storing and comparing against internal storage. This credential helper does not properly bounds check the available space remaining in the buffer before appending to it with wcsncat(), leading to potential buffer overflows. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.
Remediation
Upgrade Ubuntu:24.04 git to version 1:2.43.0-1ubuntu7.3 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-48386
- https://github.com/git/git/security/advisories/GHSA-4v56-3xvj-xvfr
Arbitrary Argument Injection
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
Git GUI allows you to use the Git source control management tools via a GUI. When a user clones an untrusted repository and is tricked into editing a file located in a maliciously named directory in the repository, then Git GUI can create and overwrite files for which the user has write permission. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1.
Remediation
Upgrade Ubuntu:24.04 git to version 1:2.43.0-1ubuntu7.3 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-46835
- https://github.com/j6t/git-gui/compare/dcda716dbc9c90bcac4611bd1076747671ee0906..a437f5bc93330a70b42a230e52f3bd036ca1b1da
- https://github.com/j6t/git-gui/security/advisories/GHSA-xfx7-68v4-v8fg
External Control of File Name or Path
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When cloning a repository Git knows to optionally fetch a bundle advertised by the remote server, which allows the server-side to offload parts of the clone to a CDN. The Git client does not perform sufficient validation of the advertised bundles, which allows the remote side to perform protocol injection. This protocol injection can cause the client to write the fetched bundle to a location controlled by the adversary. The fetched content is fully controlled by the server, which can in the worst case lead to arbitrary code execution. The use of bundle URIs is not enabled by default and can be controlled by the bundle.heuristic config option. Some cases of the vulnerability require that the adversary is in control of where a repository will be cloned to. This either requires social engineering or a recursive clone with submodules. These cases can thus be avoided by disabling recursive clones. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.
Remediation
Upgrade Ubuntu:24.04 git to version 1:2.43.0-1ubuntu7.3 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-48385
- https://github.com/git/git/security/advisories/GHSA-m98c-vgpc-9655
Link Following
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.
Remediation
Upgrade Ubuntu:24.04 git to version 1:2.43.0-1ubuntu7.3 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-48384
- https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9
- https://github.com/liamg/CVE-2025-48384
OS Command Injection
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
Gitk is a Tcl/Tk based Git history browser. Starting with 1.7.0, when a user clones an untrusted repository and runs gitk without additional command arguments, files for which the user has write permission can be created and truncated. The option Support per-file encoding must have been enabled before in Gitk's Preferences. This option is disabled by default. The same happens when Show origin of this line is used in the main window (regardless of whether Support per-file encoding is enabled or not). This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1.
Remediation
Upgrade Ubuntu:24.04 git to version 1:2.43.0-1ubuntu7.3 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-27613
- https://github.com/j6t/gitk/compare/465f03869ae11acd04abfa1b83c67879c867410c..026c397d911cde55924d7eb1311d0fd6e2e105d5
- https://github.com/j6t/gitk/compare/7dd272eca153058da2e8d5b9960bbbf0b4f0cbaa..67a128b91e25978a15f9f7e194d81b441d603652
- https://github.com/j6t/gitk/security/advisories/GHSA-f3cw-xrj3-wr2v
OS Command Injection
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
Gitk is a Tcl/Tk based Git history browser. Starting with 2.41.0, a Git repository can be crafted in such a way that with some social engineering a user who has cloned the repository can be tricked into running any script (e.g., Bourne shell, Perl, Python, ...) supplied by the attacker by invoking gitk filename, where filename has a particular structure. The script is run with the privileges of the user. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.
Remediation
Upgrade Ubuntu:24.04 git to version 1:2.43.0-1ubuntu7.3 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-27614
- https://github.com/j6t/gitk/commit/8e3070aa5e331be45d4d03e3be41f84494fce129
- https://github.com/j6t/gitk/security/advisories/GHSA-g4v5-fjv9-mhhc
Improper Encoding or Escaping of Output
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
Git is a source code management tool. When cloning from a server (or fetching, or pushing), informational or error messages are transported from the remote Git process to the client via the so-called "sideband channel". These messages will be prefixed with "remote:" and printed directly to the standard error output. Typically, this standard error output is connected to a terminal that understands ANSI escape sequences, which Git did not protect against. Most modern terminals support control sequences that can be used by a malicious actor to hide and misrepresent information, or to mislead the user into executing untrusted scripts. As requested on the git-security mailing list, the patches are under discussion on the public mailing list. Users are advised to update as soon as possible. Users unable to upgrade should avoid recursive clones unless they are from trusted sources.
Remediation
There is no fixed version for Ubuntu:24.04 git.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-52005
- https://github.com/git/git/security/advisories/GHSA-7jjc-gg6m-3329
- https://lore.kernel.org/git/1M9FnZ-1taoNo1wwh-00ESSd@mail.gmx.net
CVE-2024-56433
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream shadow package and not the shadow package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid.
Remediation
There is no fixed version for Ubuntu:24.04 shadow.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-56433
- https://github.com/shadow-maint/shadow/blob/e2512d5741d4a44bdd81a8c2d0029b6222728cf0/etc/login.defs#L238-L241
- https://github.com/shadow-maint/shadow/issues/1157
- https://github.com/shadow-maint/shadow/releases/tag/4.4
Release of Invalid Pointer or Reference
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream patch package and not the patch package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
An Invalid Pointer vulnerability exists in GNU patch 2.7 via the another_hunk function, which causes a Denial of Service.
Remediation
There is no fixed version for Ubuntu:24.04 patch.
References
Double Free
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream patch package and not the patch package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6.
Remediation
There is no fixed version for Ubuntu:24.04 patch.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-6952
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6952
- https://security-tracker.debian.org/tracker/CVE-2018-6952
- https://security.gentoo.org/glsa/201904-17
- https://savannah.gnu.org/bugs/index.php?53133
- https://access.redhat.com/errata/RHSA-2019:2033
- http://www.securityfocus.com/bid/103047
CVE-2024-41996
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.
Remediation
There is no fixed version for Ubuntu:24.04 openssl.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-41996
- https://dheatattack.gitlab.io/details/
- https://dheatattack.gitlab.io/faq/
- https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1
Information Exposure
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream libgcrypt20 package and not the libgcrypt20 package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.
Remediation
There is no fixed version for Ubuntu:24.04 libgcrypt20.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-2236
- https://access.redhat.com/errata/RHSA-2024:9404
- https://bugzilla.redhat.com/show_bug.cgi?id=2268268
- https://access.redhat.com/errata/RHSA-2025:3534
- https://access.redhat.com/errata/RHSA-2025:3530
- https://access.redhat.com/security/cve/CVE-2024-2236
- https://bugzilla.redhat.com/show_bug.cgi?id=2245218
Out-of-bounds Write
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream gnupg2 package and not the gnupg2 package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.
Remediation
There is no fixed version for Ubuntu:24.04 gnupg2.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-3219
- https://access.redhat.com/security/cve/CVE-2022-3219
- https://bugzilla.redhat.com/show_bug.cgi?id=2127010
- https://dev.gnupg.org/D556
- https://dev.gnupg.org/T5993
- https://marc.info/?l=oss-security&m=165696590211434&w=4
- https://security.netapp.com/advisory/ntap-20230324-0001/
Allocation of Resources Without Limits or Throttling
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.
Remediation
There is no fixed version for Ubuntu:24.04 glibc.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-20013
- https://akkadia.org/drepper/SHA-crypt.txt
- https://pthree.org/2018/05/23/do-not-use-sha256crypt-sha512crypt-theyre-dangerous/
- https://twitter.com/solardiz/status/795601240151457793
Insufficient Documentation of Error Handling Techniques
Detailed paths
Overview
Affected versions of this package are vulnerable to Insufficient Documentation of Error Handling Techniques in the ParseWithClaims function. An attacker can exploit this to accept invalid tokens by only checking for specific errors and ignoring others.
Workaround
Users who are not able to upgrade to the fixed version should make sure that they are properly checking for all errors, see example_test.go
Remediation
A fix was pushed into the master branch but not yet published.
References
CVE-2025-0167
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
When asked to use a .netrc file for credentials and to follow HTTP
redirects, curl could leak the password used for the first host to the
followed-to host under certain circumstances.
This flaw only manifests itself if the netrc file has a default entry that
omits both login and password. A rare circumstance.
Remediation
There is no fixed version for Ubuntu:24.04 curl.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-0167
- https://curl.se/docs/CVE-2025-0167.json
- https://hackerone.com/reports/2917232
- https://security.netapp.com/advisory/ntap-20250306-0008/
- https://curl.se/docs/CVE-2025-0167.html
Improper Input Validation
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream coreutils package and not the coreutils package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.
Remediation
There is no fixed version for Ubuntu:24.04 coreutils.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-2781
- https://security-tracker.debian.org/tracker/CVE-2016-2781
- https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E
- http://www.openwall.com/lists/oss-security/2016/02/28/2
- http://www.openwall.com/lists/oss-security/2016/02/28/3
- https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E