Platform
go
Component
github.com/argoproj/argo-cd
Fixed in
1.0.1
2.9.1
2.10.1
1.8.8
CVE-2024-28175 describes a critical Cross-Site Scripting (XSS) vulnerability discovered in Argo CD. This flaw arises from insufficient URL protocol filtering within the application summary component, enabling attackers to inject malicious JavaScript. Successful exploitation can grant an attacker the ability to perform arbitrary actions on behalf of a victim user, potentially including administrative privileges, impacting Kubernetes resource management. Affected versions are those prior to 2.10.3; upgrading is the recommended remediation.
The impact of CVE-2024-28175 is severe. An attacker can inject a javascript: link into the link.argocd.argoproj.io annotation within the Argo CD application summary. When a user, even an administrator, clicks this link, the injected JavaScript executes with the user's permissions. This allows the attacker to perform actions on behalf of the victim, such as creating, modifying, or deleting Kubernetes resources. The blast radius extends to the entire Kubernetes cluster managed by Argo CD, as an attacker could potentially gain control over critical infrastructure. This vulnerability shares similarities with other XSS attacks where user input is not properly sanitized before being rendered in a web page, leading to unauthorized code execution.
CVE-2024-28175 was publicly disclosed on March 22, 2024. While no known active exploitation campaigns have been reported at the time of writing, the vulnerability's critical severity and ease of exploitation suggest a high probability of exploitation. It is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is likely to emerge, increasing the risk of widespread exploitation.
Exploit Status
EPSS
0.48% (65% percentile)
CVSS Vector
The primary mitigation for CVE-2024-28175 is to upgrade Argo CD to version 2.10.3 or later. This version includes the necessary fixes to properly filter URL protocols and prevent the injection of malicious scripts. If an immediate upgrade is not feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious javascript: URLs in the link.argocd.argoproj.io annotation. Additionally, review Argo CD application configurations for any potentially malicious annotations. After upgrading, verify the fix by attempting to inject a javascript: link in an application annotation and confirming that it is properly sanitized and does not execute.
Update Argo CD to version 2.10.3, 2.9.8, or 2.8.12, or later. If updating is not possible, create a Kubernetes admission controller to reject resources with annotations that begin with `link.argocd.argoproj.io` or that use incorrect URL protocols. Apply this validation to all clusters managed by ArgoCD.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-28175 is a critical Cross-Site Scripting (XSS) vulnerability in Argo CD versions before 2.10.3. It allows attackers to inject malicious JavaScript via application annotations, potentially gaining control over Kubernetes resources.
You are affected if you are running Argo CD versions prior to 2.10.3. Check your Argo CD version and upgrade immediately if vulnerable.
Upgrade Argo CD to version 2.10.3 or later. As a temporary workaround, implement a WAF rule to block suspicious URLs in application annotations.
While no active exploitation campaigns have been confirmed, the vulnerability's severity and ease of exploitation suggest a high probability of exploitation.
Refer to the Argo CD security advisory: [https://argoproj.github.io/cd/security/](https://argoproj.github.io/cd/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.