Bug 2268518 (CVE-2024-28175)

Summary: CVE-2024-28175 argo-cd: XSS vulnerability in application summary component
Product: [Other] Security Response Reporter: Robb Gatica <rgatica>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: security-response-team, shbose
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: argo-cd 2.8, argo-cd 2.9, argo-cd 2.10 Doc Type: ---
Doc Text:
A flaw was found in Argo CD. Due to improper filtering of URL protocols in the application summary component, a remote attacker can execute a cross-site scripting (XSS) attack with privileges to edit the application.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2269482, 2269483    
Bug Blocks: 2268516    

Description Robb Gatica 2024-03-07 23:42:01 UTC 
Upstream is planning to lift the embargo status on March 14th. The following is the currently known information, will add more as it becomes available:

Impact
Due to the improper filtering of URL protocols in the application summary component, an attacker can achieve cross-site scripting with permission to edit the application.

Patches
A patch for this vulnerability has been released in the following Argo CD versions: v2.8, v2.9, v2.10

Workarounds:
The only way to completely resolve the issue is to upgrade.

Mitigations
- Avoid clicking external links presented in the UI.
- The link's title is user-configurable. So even if you hover the link, and the tooltip looks safe, the link might be malicious. The only way to be certain that the link is safe is to inspect the page's source.
- Carefully limit who has permissions to edit Kubernetes resource manifests (this is configured in RBAC for ArgoCD).
- The external-links are set as annotations on Kubernetes resources. Any person with write access to resources managed by ArgoCD could be an actor.
Comment 3 errata-xmlrpc 2024-03-15 17:29:52 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.10

Via RHSA-2024:1345 https://access.redhat.com/errata/RHSA-2024:1345
Comment 5 errata-xmlrpc 2024-03-16 00:33:37 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.11

Via RHSA-2024:1346 https://access.redhat.com/errata/RHSA-2024:1346
Comment 7 errata-xmlrpc 2024-03-20 11:58:19 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.12
  Red Hat OpenShift GitOps 1.12 - RHEL 9

Via RHSA-2024:1441 https://access.redhat.com/errata/RHSA-2024:1441