Plataforma
go
Componente
github.com/argoproj/argo-cd
Corrigido em
1.0.1
2.9.1
2.10.1
1.8.8
CVE-2024-28175 describes a critical Cross-Site Scripting (XSS) vulnerability discovered in Argo CD. This flaw arises from insufficient URL protocol filtering within the application summary component, enabling attackers to inject malicious JavaScript. Successful exploitation can grant an attacker the ability to perform arbitrary actions on behalf of a victim user, potentially including administrative privileges, impacting Kubernetes resource management. Affected versions are those prior to 2.10.3; upgrading is the recommended remediation.
The impact of CVE-2024-28175 is severe. An attacker can inject a javascript: link into the link.argocd.argoproj.io annotation within the Argo CD application summary. When a user, even an administrator, clicks this link, the injected JavaScript executes with the user's permissions. This allows the attacker to perform actions on behalf of the victim, such as creating, modifying, or deleting Kubernetes resources. The blast radius extends to the entire Kubernetes cluster managed by Argo CD, as an attacker could potentially gain control over critical infrastructure. This vulnerability shares similarities with other XSS attacks where user input is not properly sanitized before being rendered in a web page, leading to unauthorized code execution.
CVE-2024-28175 was publicly disclosed on March 22, 2024. While no known active exploitation campaigns have been reported at the time of writing, the vulnerability's critical severity and ease of exploitation suggest a high probability of exploitation. It is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is likely to emerge, increasing the risk of widespread exploitation.
Organizations heavily reliant on Argo CD for GitOps deployments and Kubernetes management are at significant risk. Specifically, environments with privileged Argo CD users or those lacking robust input validation practices are particularly vulnerable. Shared hosting environments where multiple users share Argo CD instances are also at increased risk.
• linux / server:
journalctl -u argocd -g 'link.argocd.argoproj.io' | grep -i javascript• generic web:
curl -I <argo-cd-url>/applications/<app-name> | grep link.argocd.argoproj.io• wordpress / composer / npm: (Not applicable as Argo CD is not a WordPress/Composer/npm component) • database (mysql, redis, mongodb, postgresql): (Not applicable as Argo CD is not a database component) • windows / supply-chain: (Not applicable as Argo CD is not a Windows component)
disclosure
patch
Status do Exploit
EPSS
0.48% (percentil 65%)
Vetor CVSS
The primary mitigation for CVE-2024-28175 is to upgrade Argo CD to version 2.10.3 or later. This version includes the necessary fixes to properly filter URL protocols and prevent the injection of malicious scripts. If an immediate upgrade is not feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious javascript: URLs in the link.argocd.argoproj.io annotation. Additionally, review Argo CD application configurations for any potentially malicious annotations. After upgrading, verify the fix by attempting to inject a javascript: link in an application annotation and confirming that it is properly sanitized and does not execute.
Atualize Argo CD para a versão 2.10.3, 2.9.8 ou 2.8.12, ou superior. Se a atualização não for possível, crie um controlador de admissão do Kubernetes para rejeitar recursos com anotações que comecem com `link.argocd.argoproj.io` ou que usem protocolos de URL incorretos. Aplique esta validação em todos os clusters gerenciados pelo ArgoCD.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2024-28175 is a critical Cross-Site Scripting (XSS) vulnerability in Argo CD versions before 2.10.3. It allows attackers to inject malicious JavaScript via application annotations, potentially gaining control over Kubernetes resources.
You are affected if you are running Argo CD versions prior to 2.10.3. Check your Argo CD version and upgrade immediately if vulnerable.
Upgrade Argo CD to version 2.10.3 or later. As a temporary workaround, implement a WAF rule to block suspicious URLs in application annotations.
While no active exploitation campaigns have been confirmed, the vulnerability's severity and ease of exploitation suggest a high probability of exploitation.
Refer to the Argo CD security advisory: [https://argoproj.github.io/cd/security/](https://argoproj.github.io/cd/security/)
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo go.mod e descubra na hora se você está afetado.