Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-28175
Summary
Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes, suffers from a Cross-Site Scripting (XSS) vulnerability due to improper `URL protocol` filtering in the `link.argocd.argoproj.io` annotations within the application summary component. This flaw enables an attacker to inject a javascript: link, leading to script execution under the victim's permissions, including admin rights, when interacted with by the user. This vulnerability allows attackers to Execute Arbitrary actions on behalf of the victim via the API, such as manipulating Kubernetes resources. Affected versions are 1.0.0-alpha1 through 1.8.6, and v2.0.0-alpha1 through 2.8.11, 2.9.0-rc2 through 2.9.7, and 2.10.0-rc1 through 2.10.2 for argo-cd/v2. Users are urged to upgrade to mitigate this vulnerability. In the absence of immediate upgrade possibilities, implementing a Kubernetes admission controller to block resources with annotations beginning with `link.argocd.argoproj.io` or those using improper URL protocols is recommended as a temporary measure.
- LOW
- NETWORK
- LOW
- CHANGED
- REQUIRED
- LOW
- LOW
- NONE
CWE-79 - Cross Site Scripting
Cross-Site Scripting, commonly referred to as XSS, is the most dominant class of vulnerabilities. It allows an attacker to inject malicious code into a pregnable web application and victimize its users. The exploitation of such a weakness can cause severe issues such as account takeover, and sensitive data exfiltration. Because of the prevalence of XSS vulnerabilities and their high rate of exploitation, it has remained in the OWASP top 10 vulnerabilities for years.
Advisory Timeline
- Published
