Cross-Site Request Forgery (CSRF) in github.com/argoproj/argo-cd
CVE-2024-22424

8.3HIGH

Key Information:

Vendor

argoproj

Status
argo-cd
Vendor
CVE Published:
19 January 2024
đź”” Create argoproj Vulnerability Alert

What is CVE-2024-22424?

The vulnerability affects the Argo CD API prior to specified versions, exposing users to Cross-Site Request Forgery (CSRF) attacks. If an attacker manipulates a web page on the same parent domain as an Argo CD instance, they can trick authenticated users into making unauthorized API calls, which may result in the deployment of malicious applications. Although Argo CD implements the 'Lax' SameSite cookie policy against CSRF attacks from external domains, it fails to protect against internal subdomain vulnerabilities. Attackers leveraging this flaw can bypass browser CORS protections by sending requests with a content type that does not require preflight requests. The recent patch establishes a necessary validation for content type headers, limiting API call vulnerabilities. Users are highly encouraged to upgrade to the latest versions to safeguard their deployments.

Affected Version(s)

argo-cd >= 0.1.0, < 2.7.15 < 0.1.0, 2.7.15

argo-cd >= 2.8.0, < 2.8.8 < 2.8.0, 2.8.8

argo-cd >= 2.9.0, < 2.9.4 < 2.9.0, 2.9.4

References

https://github.com/argoproj/argo-cd/security/advisories/G...
x_refsource_CONFIRM
https://github.com/argoproj/argo-cd/issues/2496
x_refsource_MISC
https://github.com/argoproj/argo-cd/pull/16860
x_refsource_MISC

CVSS V3.1

Score:
8.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.