x/vulndb: suggestion regarding GO-2025-3427

[hugocarreira]

Report ID

GO-2025-3427

Suggestion/Comment

Hello VulnDB team,

According to the GitHub Advisory Database and Vulert.com, the GO-2025-3427 vulnerability affects only versions ≤ 2.10.3, but VulnDB lists all versions as affected.

I believe it is necessary to update VulnDB to reflect the correct information.

For your reference:
• Vulnerability GO-2025-3427: https://pkg.go.dev/vuln/GO-2025-3427
• Github Advisory Database: GHSA-58fx-7v9q-3g56
• Vulert.com: https://vulert.com/vuln-db/CVE-2024-13484
• Project: https://pkg.go.dev/github.com/argoproj/argo-cd/v2

[tatianab]

Hi @hugocarreira, thanks for your report. I just took a look but was not able to locate a fix for the vulnerability in v2.10.4. (Note that GHSA-58fx-7v9q-3g56 doesn't list a patched version either).

Are you aware of a patch or fix for this vulnerability?

[hugocarreira]

Hi @tatianab, thanks for answering my issue.

I started a discussion on the ArgoCD repository, but I haven’t received an answer yet.
I don’t know about the fix yet, but I’m confused because the CVE refers to a project based on ArgoCD (ref: https://access.redhat.com/security/cve/CVE-2024-13484).

You can check out the discussion here: argoproj/argo-cd#21743.

Furthermore, I would like to understand why VulnDB states that all versions are affected, while GHSA-58fx-7v9q-3g56 only mentions versions ≤ v2.10.3.

[tatianab]

Thanks for opening a discussion on the ArgoCD repo. Hopefully that can bring more clarity on the state of the vulnerability.

To answer your question, the Go vulndb is more conservative than some other databases, and doesn't support the notion of "affected at <= X.X.X". The reason we don't support it is that it is often misused when there is no known fix for a vulnerability.

See the discussion of "last_affected" on the OSV website:

Entries in the events array can contain either last_affected or fixed events, but not both. It’s strongly recommended to use fixed instead of last_affected where possible, as it precisely identifies the version which contains the fix. last_affected should be thought of as the hard ceiling of the vulnerability at the time of publication in the absence of a fixed version. Versions above last_affected should be considered unaffected. Unfortunately this opens up the possibility for false negatives, which is why fixed is overwhelmingly preferred. An example is available to illustrate the difference.

[hugocarreira]

Perfect clarification, @tatianab, thank you very much!

I believe the main point now is to move forward with the discussion in the ArgoCD repository. From my perspective, everything is correct here. :)

I think this issue can be closed.

[tatianab]

Great, glad I could help. Feel free to re-open this issue or file a new one if new information becomes available.

[hugocarreira]

Hey @tatianab,

I have an update regarding this issue.

There were some responses in the discussion on the ArgoCD repository.

It turns out there is conflicting information. It has been confirmed that the CVE refers to the GitOps Operator, which is a Red Hat implementation of ArgoCD.

Therefore, based on my understanding and that of the ArgoCD and GitOps Operator maintainers, this vulnerability should not be associated with ArgoCD.

You can find more details in the discussion itself.

ref: argoproj/argo-cd#21743
https://github.com/redhat-developer/gitops-operator

[svghadi]

Hi, I am maintainer of GitOps Operator. This vulnerability doesn't affect upstream ArgoCD. I have opened up #3464 with correct details. Please take a look. Thanks.

[svghadi]

Hi @tatianab , any update on the correction suggested in #3464 for this? Thanks