cve-2024-28175
Vulnerability from cvelistv5
Published
2024-03-13 20:48
Modified
2024-08-21 23:20
Severity ?
Summary
Cross-site scripting on application summary component in argo-cd
Impacted products
argoprojargo-cd
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:48:49.312Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jwv5-8mqv-g387",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jwv5-8mqv-g387"
          },
          {
            "name": "https://github.com/argoproj/argo-cd/commit/479b5544b57dc9ef767d49f7003f39602c480b71",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/argoproj/argo-cd/commit/479b5544b57dc9ef767d49f7003f39602c480b71"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "argo_cd",
            "vendor": "argoproj",
            "versions": [
              {
                "lessThan": "2.8.12",
                "status": "affected",
                "version": "1.0.0",
                "versionType": "custom"
              },
              {
                "lessThan": "2.9.8",
                "status": "affected",
                "version": "2.9.0",
                "versionType": "custom"
              },
              {
                "lessThan": "2.10.3",
                "status": "affected",
                "version": "2.10.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-28175",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-03-14T15:46:16.286706Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-21T23:20:32.107Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "argo-cd",
          "vendor": "argoproj",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.0.0, \u003c 2.8.12"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.9.0, \u003c 2.9.8"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.10.0, \u003c 2.10.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Due to the improper URL protocols filtering of links specified in the `link.argocd.argoproj.io` annotations in the application summary component, an attacker can achieve cross-site scripting with elevated permissions. All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will execute with the victim\u0027s permissions (up to and including admin). This vulnerability allows an attacker to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, and deleting Kubernetes resources. A patch for this vulnerability has been released in Argo CD versions v2.10.3 v2.9.8, and v2.8.12. There are no completely-safe workarounds besides upgrading. The safest alternative, if upgrading is not possible, would be to create a Kubernetes admission controller to reject any resources with an annotation starting with link.argocd.argoproj.io or reject the resource if the value use an improper URL protocol. This validation will need to be applied in all clusters managed by ArgoCD.\n\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-03-13T20:48:05.363Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jwv5-8mqv-g387",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jwv5-8mqv-g387"
        },
        {
          "name": "https://github.com/argoproj/argo-cd/commit/479b5544b57dc9ef767d49f7003f39602c480b71",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/argoproj/argo-cd/commit/479b5544b57dc9ef767d49f7003f39602c480b71"
        }
      ],
      "source": {
        "advisory": "GHSA-jwv5-8mqv-g387",
        "discovery": "UNKNOWN"
      },
      "title": "Cross-site scripting on application summary component in argo-cd"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-28175",
    "datePublished": "2024-03-13T20:48:05.363Z",
    "dateReserved": "2024-03-06T17:35:00.856Z",
    "dateUpdated": "2024-08-21T23:20:32.107Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-28175\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-03-13T21:16:00.570\",\"lastModified\":\"2024-03-14T12:52:16.723\",\"vulnStatus\":\"Awaiting Analysis\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Due to the improper URL protocols filtering of links specified in the `link.argocd.argoproj.io` annotations in the application summary component, an attacker can achieve cross-site scripting with elevated permissions. All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will execute with the victim\u0027s permissions (up to and including admin). This vulnerability allows an attacker to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, and deleting Kubernetes resources. A patch for this vulnerability has been released in Argo CD versions v2.10.3 v2.9.8, and v2.8.12. There are no completely-safe workarounds besides upgrading. The safest alternative, if upgrading is not possible, would be to create a Kubernetes admission controller to reject any resources with an annotation starting with link.argocd.argoproj.io or reject the resource if the value use an improper URL protocol. This validation will need to be applied in all clusters managed by ArgoCD.\\n\\n\"},{\"lang\":\"es\",\"value\":\"Argo CD es una herramienta declarativa de entrega continua de GitOps para Kubernetes. Debido al filtrado inadecuado de los protocolos URL de los enlaces especificados en las anotaciones `link.argocd.argoproj.io` en el componente de resumen de la aplicaci\u00f3n, un atacante puede lograr Cross Site Scripting con permisos elevados. Todas las versiones sin parches de Argo CD que comienzan con v1.0.0 son vulnerables a un error de Cross Site Scripting (XSS) que permite a un usuario malintencionado inyectar un enlace javascript: en la interfaz de usuario. Cuando un usuario v\u00edctima hace clic en \u00e9l, el script se ejecutar\u00e1 con los permisos de la v\u00edctima (hasta administrador incluido). Esta vulnerabilidad permite a un atacante realizar acciones arbitrarias en nombre de la v\u00edctima a trav\u00e9s de la API, como crear, modificar y eliminar recursos de Kubernetes. Se lanz\u00f3 un parche para esta vulnerabilidad en las versiones de Argo CD v2.10.3 v2.9.8 y v2.8.12. No existen soluciones alternativas completamente seguras adem\u00e1s de actualizar. La alternativa m\u00e1s segura, si no es posible la actualizaci\u00f3n, ser\u00eda crear un controlador de admisi\u00f3n de Kubernetes para rechazar cualquier recurso con una anotaci\u00f3n que comience con link.argocd.argoproj.io o rechazar el recurso si el valor utiliza un protocolo URL inadecuado. Esta validaci\u00f3n deber\u00e1 aplicarse en todos los cl\u00fasteres gestionados por ArgoCD.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":9.0,\"baseSeverity\":\"CRITICAL\"},\"exploitabilityScore\":2.3,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://github.com/argoproj/argo-cd/commit/479b5544b57dc9ef767d49f7003f39602c480b71\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/argoproj/argo-cd/security/advisories/GHSA-jwv5-8mqv-g387\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.