平台
go
组件
github.com/argoproj/argo-cd
修复版本
1.0.1
2.9.1
2.10.1
1.8.8
CVE-2024-28175 describes a critical Cross-Site Scripting (XSS) vulnerability discovered in Argo CD. This flaw arises from insufficient URL protocol filtering within the application summary component, enabling attackers to inject malicious JavaScript. Successful exploitation can grant an attacker the ability to perform arbitrary actions on behalf of a victim user, potentially including administrative privileges, impacting Kubernetes resource management. Affected versions are those prior to 2.10.3; upgrading is the recommended remediation.
The impact of CVE-2024-28175 is severe. An attacker can inject a javascript: link into the link.argocd.argoproj.io annotation within the Argo CD application summary. When a user, even an administrator, clicks this link, the injected JavaScript executes with the user's permissions. This allows the attacker to perform actions on behalf of the victim, such as creating, modifying, or deleting Kubernetes resources. The blast radius extends to the entire Kubernetes cluster managed by Argo CD, as an attacker could potentially gain control over critical infrastructure. This vulnerability shares similarities with other XSS attacks where user input is not properly sanitized before being rendered in a web page, leading to unauthorized code execution.
CVE-2024-28175 was publicly disclosed on March 22, 2024. While no known active exploitation campaigns have been reported at the time of writing, the vulnerability's critical severity and ease of exploitation suggest a high probability of exploitation. It is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is likely to emerge, increasing the risk of widespread exploitation.
Organizations heavily reliant on Argo CD for GitOps deployments and Kubernetes management are at significant risk. Specifically, environments with privileged Argo CD users or those lacking robust input validation practices are particularly vulnerable. Shared hosting environments where multiple users share Argo CD instances are also at increased risk.
• linux / server:
journalctl -u argocd -g 'link.argocd.argoproj.io' | grep -i javascript• generic web:
curl -I <argo-cd-url>/applications/<app-name> | grep link.argocd.argoproj.io• wordpress / composer / npm: (Not applicable as Argo CD is not a WordPress/Composer/npm component) • database (mysql, redis, mongodb, postgresql): (Not applicable as Argo CD is not a database component) • windows / supply-chain: (Not applicable as Argo CD is not a Windows component)
disclosure
patch
漏洞利用状态
EPSS
0.48% (65% 百分位)
CVSS 向量
The primary mitigation for CVE-2024-28175 is to upgrade Argo CD to version 2.10.3 or later. This version includes the necessary fixes to properly filter URL protocols and prevent the injection of malicious scripts. If an immediate upgrade is not feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious javascript: URLs in the link.argocd.argoproj.io annotation. Additionally, review Argo CD application configurations for any potentially malicious annotations. After upgrading, verify the fix by attempting to inject a javascript: link in an application annotation and confirming that it is properly sanitized and does not execute.
将 Argo CD 更新到版本 2.10.3、2.9.8 或 2.8.12 或更高版本。如果无法更新,请创建一个 Kubernetes 准入控制器,以拒绝带有以 `link.argocd.argoproj.io` 开头的注解或使用不正确的 URL 协议的资源。将此验证应用于 ArgoCD 管理的所有集群。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-28175 is a critical Cross-Site Scripting (XSS) vulnerability in Argo CD versions before 2.10.3. It allows attackers to inject malicious JavaScript via application annotations, potentially gaining control over Kubernetes resources.
You are affected if you are running Argo CD versions prior to 2.10.3. Check your Argo CD version and upgrade immediately if vulnerable.
Upgrade Argo CD to version 2.10.3 or later. As a temporary workaround, implement a WAF rule to block suspicious URLs in application annotations.
While no active exploitation campaigns have been confirmed, the vulnerability's severity and ease of exploitation suggest a high probability of exploitation.
Refer to the Argo CD security advisory: [https://argoproj.github.io/cd/security/](https://argoproj.github.io/cd/security/)
上传你的 go.mod 文件,立即知道是否受影响。