2268518 – (CVE-2024-28175) CVE-2024-28175 argo-cd: XSS vulnerability in application summary component

Bug 2268518 (CVE-2024-28175) - CVE-2024-28175 argo-cd: XSS vulnerability in application summary component

Summary: CVE-2024-28175 argo-cd: XSS vulnerability in application summary component

Keywords:
Status:	NEW
Alias:	CVE-2024-28175
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2269482 2269483
Blocks:	2268516
TreeView+	depends on / blocked

Reported:	2024-03-07 23:42 UTC by Robb Gatica
Modified:	2024-03-20 11:58 UTC (History)
CC List:	5 users (show)
Fixed In Version:	argo-cd 2.8, argo-cd 2.9, argo-cd 2.10
Doc Type:	---
Doc Text:	A flaw was found in Argo CD. Due to improper filtering of URL protocols in the application summary component, a remote attacker can execute a cross-site scripting (XSS) attack with privileges to edit the application.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2024:1345	None	None	None	2024-03-15 17:29:53 UTC
Red Hat Product Errata	RHSA-2024:1346	None	None	None	2024-03-16 00:33:39 UTC
Red Hat Product Errata	RHSA-2024:1441	None	None	None	2024-03-20 11:58:20 UTC

Description Robb Gatica 2024-03-07 23:42:01 UTC

Upstream is planning to lift the embargo status on March 14th. The following is the currently known information, will add more as it becomes available:

Impact
Due to the improper filtering of URL protocols in the application summary component, an attacker can achieve cross-site scripting with permission to edit the application.

Patches
A patch for this vulnerability has been released in the following Argo CD versions: v2.8, v2.9, v2.10

Workarounds:
The only way to completely resolve the issue is to upgrade.

Mitigations
- Avoid clicking external links presented in the UI.
- The link's title is user-configurable. So even if you hover the link, and the tooltip looks safe, the link might be malicious. The only way to be certain that the link is safe is to inspect the page's source.
- Carefully limit who has permissions to edit Kubernetes resource manifests (this is configured in RBAC for ArgoCD).
- The external-links are set as annotations on Kubernetes resources. Any person with write access to resources managed by ArgoCD could be an actor.

Comment 3 errata-xmlrpc 2024-03-15 17:29:52 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.10

Via RHSA-2024:1345 https://access.redhat.com/errata/RHSA-2024:1345

Comment 5 errata-xmlrpc 2024-03-16 00:33:37 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.11

Via RHSA-2024:1346 https://access.redhat.com/errata/RHSA-2024:1346

Comment 7 errata-xmlrpc 2024-03-20 11:58:19 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.12
  Red Hat OpenShift GitOps 1.12 - RHEL 9

Via RHSA-2024:1441 https://access.redhat.com/errata/RHSA-2024:1441

Note You need to log in before you can comment on or make changes to this bug.