Cross-site Scripting (XSS) Vulnerability in Argo CD Allows Attacker to Execute JavaScript with Elevated Permissions
CVE-2024-28175

5.4MEDIUM

Key Information:

Vendor: Argoproj
Status: Argo-cd
Vendor: CVE Published:; 13 March 2024

What is CVE-2024-28175?

Argo CD is a declarative GitOps continuous delivery tool for Kubernetes that has a vulnerability in its application summary component. The issue arises from improper filtering of URL protocols in the link.argocd.argoproj.io annotations, allowing attackers to conduct cross-site scripting (XSS) attacks. An attacker can inject a malicious JavaScript link into the UI. If a victim user clicks on this link, the script executes with the victim's permissions, which can include administrative rights. Consequently, an attacker may manipulate Kubernetes resources via API calls, including creating, modifying, or deleting resources. Argo CD has provided patches in versions v2.10.3, v2.9.8, and v2.8.12, and users are strongly advised to upgrade to these versions. For those unable to upgrade, implementing a Kubernetes admission controller to reject improper annotations is recommended as a safer alternative.

Affected Version(s)

argo-cd >= 1.0.0, < 2.8.12 < 1.0.0, 2.8.12

argo-cd >= 2.9.0, < 2.9.8 < 2.9.0, 2.9.8

argo-cd >= 2.10.0, < 2.10.3 < 2.10.0, 2.10.3

References

https://github.com/argoproj/argo-cd/security/advisories/G...

x_refsource_CONFIRM

https://github.com/argoproj/argo-cd/commit/479b5544b57dc9...

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 13, 2024
Vulnerability Reserved
Mar 6, 2024

Argoproj

What is CVE-2024-28175?

Affected Version(s)

References

CVSS V3.1

Timeline