Plattform
go
Komponente
github.com/argoproj/argo-cd
Behoben in
1.0.1
2.9.1
2.10.1
1.8.8
CVE-2024-28175 describes a critical Cross-Site Scripting (XSS) vulnerability discovered in Argo CD. This flaw arises from insufficient URL protocol filtering within the application summary component, enabling attackers to inject malicious JavaScript. Successful exploitation can grant an attacker the ability to perform arbitrary actions on behalf of a victim user, potentially including administrative privileges, impacting Kubernetes resource management. Affected versions are those prior to 2.10.3; upgrading is the recommended remediation.
The impact of CVE-2024-28175 is severe. An attacker can inject a javascript: link into the link.argocd.argoproj.io annotation within the Argo CD application summary. When a user, even an administrator, clicks this link, the injected JavaScript executes with the user's permissions. This allows the attacker to perform actions on behalf of the victim, such as creating, modifying, or deleting Kubernetes resources. The blast radius extends to the entire Kubernetes cluster managed by Argo CD, as an attacker could potentially gain control over critical infrastructure. This vulnerability shares similarities with other XSS attacks where user input is not properly sanitized before being rendered in a web page, leading to unauthorized code execution.
CVE-2024-28175 was publicly disclosed on March 22, 2024. While no known active exploitation campaigns have been reported at the time of writing, the vulnerability's critical severity and ease of exploitation suggest a high probability of exploitation. It is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is likely to emerge, increasing the risk of widespread exploitation.
Organizations heavily reliant on Argo CD for GitOps deployments and Kubernetes management are at significant risk. Specifically, environments with privileged Argo CD users or those lacking robust input validation practices are particularly vulnerable. Shared hosting environments where multiple users share Argo CD instances are also at increased risk.
• linux / server:
journalctl -u argocd -g 'link.argocd.argoproj.io' | grep -i javascript• generic web:
curl -I <argo-cd-url>/applications/<app-name> | grep link.argocd.argoproj.io• wordpress / composer / npm: (Not applicable as Argo CD is not a WordPress/Composer/npm component) • database (mysql, redis, mongodb, postgresql): (Not applicable as Argo CD is not a database component) • windows / supply-chain: (Not applicable as Argo CD is not a Windows component)
disclosure
patch
Exploit-Status
EPSS
0.48% (65% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2024-28175 is to upgrade Argo CD to version 2.10.3 or later. This version includes the necessary fixes to properly filter URL protocols and prevent the injection of malicious scripts. If an immediate upgrade is not feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious javascript: URLs in the link.argocd.argoproj.io annotation. Additionally, review Argo CD application configurations for any potentially malicious annotations. After upgrading, verify the fix by attempting to inject a javascript: link in an application annotation and confirming that it is properly sanitized and does not execute.
Aktualisieren Sie Argo CD auf Version 2.10.3, 2.9.8 oder 2.8.12 oder höher. Wenn ein Update nicht möglich ist, erstellen Sie einen Kubernetes Admission Controller, um Ressourcen mit Anmerkungen abzulehnen, die mit `link.argocd.argoproj.io` beginnen oder falsche URL-Protokolle verwenden. Wenden Sie diese Validierung auf alle von ArgoCD verwalteten Cluster an.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-28175 is a critical Cross-Site Scripting (XSS) vulnerability in Argo CD versions before 2.10.3. It allows attackers to inject malicious JavaScript via application annotations, potentially gaining control over Kubernetes resources.
You are affected if you are running Argo CD versions prior to 2.10.3. Check your Argo CD version and upgrade immediately if vulnerable.
Upgrade Argo CD to version 2.10.3 or later. As a temporary workaround, implement a WAF rule to block suspicious URLs in application annotations.
While no active exploitation campaigns have been confirmed, the vulnerability's severity and ease of exploitation suggest a high probability of exploitation.
Refer to the Argo CD security advisory: [https://argoproj.github.io/cd/security/](https://argoproj.github.io/cd/security/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.