Upstream is planning to lift the embargo status on March 14th. The following is the currently known information, will add more as it becomes available: Impact Due to the improper filtering of URL protocols in the application summary component, an attacker can achieve cross-site scripting with permission to edit the application. Patches A patch for this vulnerability has been released in the following Argo CD versions: v2.8, v2.9, v2.10 Workarounds: The only way to completely resolve the issue is to upgrade. Mitigations - Avoid clicking external links presented in the UI. - The link's title is user-configurable. So even if you hover the link, and the tooltip looks safe, the link might be malicious. The only way to be certain that the link is safe is to inspect the page's source. - Carefully limit who has permissions to edit Kubernetes resource manifests (this is configured in RBAC for ArgoCD). - The external-links are set as annotations on Kubernetes resources. Any person with write access to resources managed by ArgoCD could be an actor.
This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.10 Via RHSA-2024:1345 https://access.redhat.com/errata/RHSA-2024:1345
This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.11 Via RHSA-2024:1346 https://access.redhat.com/errata/RHSA-2024:1346
This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.12 Red Hat OpenShift GitOps 1.12 - RHEL 9 Via RHSA-2024:1441 https://access.redhat.com/errata/RHSA-2024:1441