{"id":"GO-2024-2643","summary":"Bypass manifest during application creation in github.com/argoproj/argo-cd/v2","details":"An improper validation bug allows users who have create privileges to sync a local manifest during application creation. This allows for bypassing the restriction that the manifests come from some approved git/Helm/OCI source.","aliases":["BIT-argo-cd-2023-50726","CVE-2023-50726","GHSA-g623-jcgg-mhmm"],"modified":"2026-02-04T02:53:17.941877Z","published":"2024-03-22T18:12:03Z","related":["CGA-j8x8-jxrj-qrv2"],"database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2024-2643"},"references":[{"type":"FIX","url":"https://github.com/argoproj/argo-cd/commit/3b8f673f06c2d228e01cbc830e5cb57cef008978"},{"type":"WEB","url":"https://argo-cd.readthedocs.io/en/latest/operator-manual/rbac"}],"affected":[{"package":{"name":"github.com/argoproj/argo-cd","ecosystem":"Go","purl":"pkg:golang/github.com/argoproj/argo-cd"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.2.0-rc1"}]}],"ecosystem_specific":{"imports":[{"symbols":["Server.Create"],"path":"github.com/argoproj/argo-cd/server/application"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2024-2643.json"}},{"package":{"name":"github.com/argoproj/argo-cd/v2","ecosystem":"Go","purl":"pkg:golang/github.com/argoproj/argo-cd/v2"},"ranges":[{"type":"SEMVER","events":[{"introduced":"2.0.0"},{"fixed":"2.8.12"},{"introduced":"2.9.0"},{"fixed":"2.9.8"},{"introduced":"2.10.0"},{"fixed":"2.10.3"}]}],"ecosystem_specific":{"imports":[{"symbols":["Server.Create"],"path":"github.com/argoproj/argo-cd/v2/server/application"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2024-2643.json"}}],"schema_version":"1.7.3","credits":[{"name":"@crenshaw-dev"}]}