CVE-2021-23347 - Vulnerability Details - OpenCVE

The package github.com/argoproj/argo-cd/cmd before 1.7.13, from 1.8.0 and before 1.8.6 are vulnerable to Cross-site Scripting (XSS) the SSO provider connected to Argo CD would have to send back a malicious error message containing JavaScript to the user.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Argoproj	Argo Cd

Configuration 1 [-]

OR	cpe:2.3:a:argoproj:argo_cd::::::::
	cpe:2.3:a:argoproj:argo_cd::::::::

No data.

References

Link	Providers
https://github.com/argoproj/argo-cd/pull/5563
https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMARGOPROJARGOCDCMD-1078291

History

Wed, 07 Aug 2024 16:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Argoproj Argoproj argo Cd
CPEs	cpe:2.3:a:linuxfoundation:argo_continuous_delivery::::::kubernetes::*	cpe:2.3:a:argoproj:argo_cd::::::::
Vendors & Products	Linuxfoundation Linuxfoundation argo Continuous Delivery	Argoproj Argoproj argo Cd

MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2021-03-03T09:55:25.235231Z

Updated: 2024-09-17T04:14:06.008Z

Reserved: 2021-01-08T00:00:00

Link: CVE-2021-23347

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-03-03T10:15:13.753

Modified: 2024-11-21T05:51:33.100

Link: CVE-2021-23347

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "github.com/argoproj/argo-cd/cmd", "vendor": "n/a", "versions": [{"lessThan": "1.7.13", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "1.8.0", "versionType": "custom"}, {"lessThan": "1.8.6", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "jannfis"}], "datePublic": "2021-03-03T00:00:00", "descriptions": [{"lang": "en", "value": "The package github.com/argoproj/argo-cd/cmd before 1.7.13, from 1.8.0 and before 1.8.6 are vulnerable to Cross-site Scripting (XSS) the SSO provider connected to Argo CD would have to send back a malicious error message containing JavaScript to the user."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Cross-site Scripting (XSS)", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-03-03T09:55:25", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMARGOPROJARGOCDCMD-1078291"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/argoproj/argo-cd/pull/5563"}], "title": "Cross-site Scripting (XSS)", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "report@snyk.io", "DATE_PUBLIC": "2021-03-03T09:52:51.235817Z", "ID": "CVE-2021-23347", "STATE": "PUBLIC", "TITLE": "Cross-site Scripting (XSS)"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "github.com/argoproj/argo-cd/cmd", "version": {"version_data": [{"version_affected": "<", "version_value": "1.7.13"}, {"version_affected": ">=", "version_value": "1.8.0"}, {"version_affected": "<", "version_value": "1.8.6"}]}}]}, "vendor_name": "n/a"}]}}, "credit": [{"lang": "eng", "value": "jannfis"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The package github.com/argoproj/argo-cd/cmd before 1.7.13, from 1.8.0 and before 1.8.6 are vulnerable to Cross-site Scripting (XSS) the SSO provider connected to Argo CD would have to send back a malicious error message containing JavaScript to the user."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Cross-site Scripting (XSS)"}]}]}, "references": {"reference_data": [{"name": "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMARGOPROJARGOCDCMD-1078291", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMARGOPROJARGOCDCMD-1078291"}, {"name": "https://github.com/argoproj/argo-cd/pull/5563", "refsource": "MISC", "url": "https://github.com/argoproj/argo-cd/pull/5563"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T19:05:55.656Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMARGOPROJARGOCDCMD-1078291"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/argoproj/argo-cd/pull/5563"}]}]}, "cveMetadata": {"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2021-23347", "datePublished": "2021-03-03T09:55:25.235231Z", "dateReserved": "2021-01-08T00:00:00", "dateUpdated": "2024-09-17T04:14:06.008Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*", "matchCriteriaId": "A5B2A3E0-5E2F-487B-8614-A23B5C9277C4", "versionEndExcluding": "1.7.13", "vulnerable": true}, {"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*", "matchCriteriaId": "B353C097-7262-4367-9281-F5F258738AA4", "versionEndExcluding": "1.8.6", "versionStartIncluding": "1.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The package github.com/argoproj/argo-cd/cmd before 1.7.13, from 1.8.0 and before 1.8.6 are vulnerable to Cross-site Scripting (XSS) the SSO provider connected to Argo CD would have to send back a malicious error message containing JavaScript to the user."}, {"lang": "es", "value": "El paquete github.com/argoproj/argo-cd/cmd versiones anteriores a 1.7.13, versiones desde 1.8.0 y anteriores a 1.8.6, son vulnerables a un ataque de tipo Cross-site Scripting (XSS), el proveedor de SSO conectado a Argo CD tendr\u00eda que devolver un mensaje de error malicioso que contiene JavaScript para el usuario"}], "id": "CVE-2021-23347", "lastModified": "2024-11-21T05:51:33.100", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.4, "source": "report@snyk.io", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-03-03T10:15:13.753", "references": [{"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/argoproj/argo-cd/pull/5563"}, {"source": "report@snyk.io", "tags": ["Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMARGOPROJARGOCDCMD-1078291"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/argoproj/argo-cd/pull/5563"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMARGOPROJARGOCDCMD-1078291"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}