{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-28175", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-06T17:35:00.856Z", "datePublished": "2024-03-13T20:48:05.363Z", "dateUpdated": "2024-08-21T23:20:32.107Z"}, "containers": {"cna": {"title": "Cross-site scripting on application summary component in argo-cd", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jwv5-8mqv-g387", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jwv5-8mqv-g387"}, {"name": "https://github.com/argoproj/argo-cd/commit/479b5544b57dc9ef767d49f7003f39602c480b71", "tags": ["x_refsource_MISC"], "url": "https://github.com/argoproj/argo-cd/commit/479b5544b57dc9ef767d49f7003f39602c480b71"}], "affected": [{"vendor": "argoproj", "product": "argo-cd", "versions": [{"version": ">= 1.0.0, < 2.8.12", "status": "affected"}, {"version": ">= 2.9.0, < 2.9.8", "status": "affected"}, {"version": ">= 2.10.0, < 2.10.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-13T20:48:05.363Z"}, "descriptions": [{"lang": "en", "value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Due to the improper URL protocols filtering of links specified in the `link.argocd.argoproj.io` annotations in the application summary component, an attacker can achieve cross-site scripting with elevated permissions. All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will execute with the victim's permissions (up to and including admin). This vulnerability allows an attacker to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, and deleting Kubernetes resources. A patch for this vulnerability has been released in Argo CD versions v2.10.3 v2.9.8, and v2.8.12. There are no completely-safe workarounds besides upgrading. The safest alternative, if upgrading is not possible, would be to create a Kubernetes admission controller to reject any resources with an annotation starting with link.argocd.argoproj.io or reject the resource if the value use an improper URL protocol. This validation will need to be applied in all clusters managed by ArgoCD.\n\n"}], "source": {"advisory": "GHSA-jwv5-8mqv-g387", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:48:49.312Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jwv5-8mqv-g387", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jwv5-8mqv-g387"}, {"name": "https://github.com/argoproj/argo-cd/commit/479b5544b57dc9ef767d49f7003f39602c480b71", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/argoproj/argo-cd/commit/479b5544b57dc9ef767d49f7003f39602c480b71"}]}, {"affected": [{"vendor": "argoproj", "product": "argo_cd", "cpes": ["cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "1.0.0", "status": "affected", "lessThan": "2.8.12", "versionType": "custom"}, {"version": "2.9.0", "status": "affected", "lessThan": "2.9.8", "versionType": "custom"}, {"version": "2.10.0", "status": "affected", "lessThan": "2.10.3", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-03-14T15:46:16.286706Z", "id": "CVE-2024-28175", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-21T23:20:32.107Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jwv5-8mqv-g387", "name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jwv5-8mqv-g387", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/argoproj/argo-cd/commit/479b5544b57dc9ef767d49f7003f39602c480b71", "name": "https://github.com/argoproj/argo-cd/commit/479b5544b57dc9ef767d49f7003f39602c480b71", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:48:49.312Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-28175", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-03-14T15:46:16.286706Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*"], "vendor": "argoproj", "product": "argo_cd", "versions": [{"status": "affected", "version": "1.0.0", "lessThan": "2.8.12", "versionType": "custom"}, {"status": "affected", "version": "2.9.0", "lessThan": "2.9.8", "versionType": "custom"}, {"status": "affected", "version": "2.10.0", "lessThan": "2.10.3", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-21T23:20:18.992Z"}}], "cna": {"title": "Cross-site scripting on application summary component in argo-cd", "source": {"advisory": "GHSA-jwv5-8mqv-g387", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "argoproj", "product": "argo-cd", "versions": [{"status": "affected", "version": ">= 1.0.0, < 2.8.12"}, {"status": "affected", "version": ">= 2.9.0, < 2.9.8"}, {"status": "affected", "version": ">= 2.10.0, < 2.10.3"}]}], "references": [{"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jwv5-8mqv-g387", "name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jwv5-8mqv-g387", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/argoproj/argo-cd/commit/479b5544b57dc9ef767d49f7003f39602c480b71", "name": "https://github.com/argoproj/argo-cd/commit/479b5544b57dc9ef767d49f7003f39602c480b71", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Due to the improper URL protocols filtering of links specified in the `link.argocd.argoproj.io` annotations in the application summary component, an attacker can achieve cross-site scripting with elevated permissions. All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will execute with the victim's permissions (up to and including admin). This vulnerability allows an attacker to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, and deleting Kubernetes resources. A patch for this vulnerability has been released in Argo CD versions v2.10.3 v2.9.8, and v2.8.12. There are no completely-safe workarounds besides upgrading. The safest alternative, if upgrading is not possible, would be to create a Kubernetes admission controller to reject any resources with an annotation starting with link.argocd.argoproj.io or reject the resource if the value use an improper URL protocol. This validation will need to be applied in all clusters managed by ArgoCD.\n\n"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-13T20:48:05.363Z"}}}, "cveMetadata": {"cveId": "CVE-2024-28175", "state": "PUBLISHED", "dateUpdated": "2024-08-21T23:20:32.107Z", "dateReserved": "2024-03-06T17:35:00.856Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-03-13T20:48:05.363Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*", "matchCriteriaId": "E0393269-E1BA-4E3B-9A76-6EECFD36FDA5", "versionEndExcluding": "2.8.12", "versionStartIncluding": "1.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*", "matchCriteriaId": "CFDD1F75-11BA-4CB4-BAD8-7A2DC23339D7", "versionEndExcluding": "2.9.8", "versionStartIncluding": "2.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*", "matchCriteriaId": "91F1733A-B8C1-4676-96B5-C9EF16E9C23B", "versionEndExcluding": "2.10.3", "versionStartIncluding": "2.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Due to the improper URL protocols filtering of links specified in the `link.argocd.argoproj.io` annotations in the application summary component, an attacker can achieve cross-site scripting with elevated permissions. All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will execute with the victim's permissions (up to and including admin). This vulnerability allows an attacker to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, and deleting Kubernetes resources. A patch for this vulnerability has been released in Argo CD versions v2.10.3 v2.9.8, and v2.8.12. There are no completely-safe workarounds besides upgrading. The safest alternative, if upgrading is not possible, would be to create a Kubernetes admission controller to reject any resources with an annotation starting with link.argocd.argoproj.io or reject the resource if the value use an improper URL protocol. This validation will need to be applied in all clusters managed by ArgoCD.\n\n"}, {"lang": "es", "value": "Argo CD es una herramienta declarativa de entrega continua de GitOps para Kubernetes. Debido al filtrado inadecuado de los protocolos URL de los enlaces especificados en las anotaciones `link.argocd.argoproj.io` en el componente de resumen de la aplicaci\u00f3n, un atacante puede lograr Cross Site Scripting con permisos elevados. Todas las versiones sin parches de Argo CD que comienzan con v1.0.0 son vulnerables a un error de Cross Site Scripting (XSS) que permite a un usuario malintencionado inyectar un enlace javascript: en la interfaz de usuario. Cuando un usuario v\u00edctima hace clic en \u00e9l, el script se ejecutar\u00e1 con los permisos de la v\u00edctima (hasta administrador incluido). Esta vulnerabilidad permite a un atacante realizar acciones arbitrarias en nombre de la v\u00edctima a trav\u00e9s de la API, como crear, modificar y eliminar recursos de Kubernetes. Se lanz\u00f3 un parche para esta vulnerabilidad en las versiones de Argo CD v2.10.3 v2.9.8 y v2.8.12. No existen soluciones alternativas completamente seguras adem\u00e1s de actualizar. La alternativa m\u00e1s segura, si no es posible la actualizaci\u00f3n, ser\u00eda crear un controlador de admisi\u00f3n de Kubernetes para rechazar cualquier recurso con una anotaci\u00f3n que comience con link.argocd.argoproj.io o rechazar el recurso si el valor utiliza un protocolo URL inadecuado. Esta validaci\u00f3n deber\u00e1 aplicarse en todos los cl\u00fasteres gestionados por ArgoCD."}], "id": "CVE-2024-28175", "lastModified": "2025-01-09T17:05:59.063", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-03-13T21:16:00.570", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/argoproj/argo-cd/commit/479b5544b57dc9ef767d49f7003f39602c480b71"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jwv5-8mqv-g387"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/argoproj/argo-cd/commit/479b5544b57dc9ef767d49f7003f39602c480b71"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jwv5-8mqv-g387"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:1345", "cpe": "cpe:/a:redhat:openshift_gitops:1.10::el8", "package": "openshift-gitops-1/argocd-rhel8:v1.10.3-2", "product_name": "Red Hat OpenShift GitOps 1.10", "release_date": "2024-03-15T00:00:00Z"}, {"advisory": "RHSA-2024:1345", "cpe": "cpe:/a:redhat:openshift_gitops:1.10::el8", "package": "openshift-gitops-1/gitops-rhel8:v1.10.3-2", "product_name": "Red Hat OpenShift GitOps 1.10", "release_date": "2024-03-15T00:00:00Z"}, {"advisory": "RHSA-2024:1345", "cpe": "cpe:/a:redhat:openshift_gitops:1.10::el8", "package": "openshift-gitops-1/gitops-rhel8-operator:v1.10.3-2", "product_name": "Red Hat OpenShift GitOps 1.10", "release_date": "2024-03-15T00:00:00Z"}, {"advisory": "RHSA-2024:1346", "cpe": "cpe:/a:redhat:openshift_gitops:1.11::el8", "package": "openshift-gitops-1/argocd-rhel8:v1.11.2-2", "product_name": "Red Hat OpenShift GitOps 1.11", "release_date": "2024-03-16T00:00:00Z"}, {"advisory": "RHSA-2024:1346", "cpe": "cpe:/a:redhat:openshift_gitops:1.11::el8", "package": "openshift-gitops-1/argo-rollouts-rhel8:v1.11.2-2", "product_name": "Red Hat OpenShift GitOps 1.11", "release_date": "2024-03-16T00:00:00Z"}, {"advisory": "RHSA-2024:1346", "cpe": "cpe:/a:redhat:openshift_gitops:1.11::el8", "package": "openshift-gitops-1/console-plugin-rhel8:v1.11.2-2", "product_name": "Red Hat OpenShift GitOps 1.11", "release_date": "2024-03-16T00:00:00Z"}, {"advisory": "RHSA-2024:1346", "cpe": "cpe:/a:redhat:openshift_gitops:1.11::el8", "package": "openshift-gitops-1/dex-rhel8:v1.11.2-2", "product_name": "Red Hat OpenShift GitOps 1.11", "release_date": "2024-03-16T00:00:00Z"}, {"advisory": "RHSA-2024:1346", "cpe": "cpe:/a:redhat:openshift_gitops:1.11::el8", "package": "openshift-gitops-1/gitops-operator-bundle:v1.11.2-2", "product_name": "Red Hat OpenShift GitOps 1.11", "release_date": "2024-03-16T00:00:00Z"}, {"advisory": "RHSA-2024:1346", "cpe": "cpe:/a:redhat:openshift_gitops:1.11::el8", "package": "openshift-gitops-1/gitops-rhel8:v1.11.2-2", "product_name": "Red Hat OpenShift GitOps 1.11", "release_date": "2024-03-16T00:00:00Z"}, {"advisory": "RHSA-2024:1346", "cpe": "cpe:/a:redhat:openshift_gitops:1.11::el8", "package": "openshift-gitops-1/gitops-rhel8-operator:v1.11.2-2", "product_name": "Red Hat OpenShift GitOps 1.11", "release_date": "2024-03-16T00:00:00Z"}, {"advisory": "RHSA-2024:1346", "cpe": "cpe:/a:redhat:openshift_gitops:1.11::el8", "package": "openshift-gitops-1/kam-delivery-rhel8:v1.11.2-2", "product_name": "Red Hat OpenShift GitOps 1.11", "release_date": "2024-03-16T00:00:00Z"}, {"advisory": "RHSA-2024:1346", "cpe": "cpe:/a:redhat:openshift_gitops:1.11::el8", "package": "openshift-gitops-1/must-gather-rhel8:v1.11.2-2", "product_name": "Red Hat OpenShift GitOps 1.11", "release_date": "2024-03-16T00:00:00Z"}, {"advisory": "RHSA-2024:1441", "cpe": "cpe:/a:redhat:openshift_gitops:1.12::el8", "package": "openshift-gitops-1/argocd-rhel8:v1.12.0-19", "product_name": "Red Hat OpenShift GitOps 1.12", "release_date": "2024-03-20T00:00:00Z"}, {"advisory": "RHSA-2024:1441", "cpe": "cpe:/a:redhat:openshift_gitops:1.12::el8", "package": "openshift-gitops-1/gitops-rhel8:v1.12.0-19", "product_name": "Red Hat OpenShift GitOps 1.12", "release_date": "2024-03-20T00:00:00Z"}, {"advisory": "RHSA-2024:1441", "cpe": "cpe:/a:redhat:openshift_gitops:1.12::el8", "package": "openshift-gitops-1/gitops-rhel8-operator:v1.12.0-19", "product_name": "Red Hat OpenShift GitOps 1.12", "release_date": "2024-03-20T00:00:00Z"}], "bugzilla": {"description": "argo-cd: XSS vulnerability in application summary component", "id": "2268518", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268518"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:H", "status": "verified"}, "cwe": "CWE-79", "details": ["Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Due to the improper URL protocols filtering of links specified in the `link.argocd.argoproj.io` annotations in the application summary component, an attacker can achieve cross-site scripting with elevated permissions. All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will execute with the victim's permissions (up to and including admin). This vulnerability allows an attacker to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, and deleting Kubernetes resources. A patch for this vulnerability has been released in Argo CD versions v2.10.3 v2.9.8, and v2.8.12. There are no completely-safe workarounds besides upgrading. The safest alternative, if upgrading is not possible, would be to create a Kubernetes admission controller to reject any resources with an annotation starting with link.argocd.argoproj.io or reject the resource if the value use an improper URL protocol. This validation will need to be applied in all clusters managed by ArgoCD.", "A flaw was found in Argo CD. Due to improper filtering of URL protocols in the application summary component, a remote attacker can execute a cross-site scripting (XSS) attack with privileges to edit the application."], "name": "CVE-2024-28175", "public_date": "2024-03-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-28175\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-28175\nhttps://github.com/argoproj/argo-cd/security/advisories/GHSA-jwv5-8mqv-g387"], "threat_severity": "Important", "upstream_fix": "argo-cd 2.8, argo-cd 2.9, argo-cd 2.10"}