linuxfoundation argo-cd CVE-2022-31035 in Linux Foundation and Argoproj Products
Published on June 27, 2022

External URLs for Deployments can include javascript in argo-cd

product logo product logo
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a `javascript:` link in the UI. When clicked by a victim user, the script will execute with the victim's permissions (up to and including admin). The script would be capable of doing anything which is possible in the UI or via the API, such as creating, modifying, and deleting Kubernetes resources. A patch for this vulnerability has been released in the following Argo CD versions: v2.4.1, v2.3.5, v2.2.10 and v2.1.16. There are no completely-safe workarounds besides upgrading.

Github Repository NVD

Vulnerability Analysis

CVE-2022-31035 can be exploited with network access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
REQUIRED
Scope:
CHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Type

What is a XSS Vulnerability?

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVE-2022-31035 has been classified to as a XSS vulnerability or weakness.


Products Associated with CVE-2022-31035

stack.watch emails you whenever new vulnerabilities are published in Linux Foundation Argo Cd or Argoproj Argo Cd. Just hit a watch button to start following.

Linux Foundation Argo Cd
 
Argoproj Argo Cd
 

Affected Versions

argoproj argo-cd:

Exploit Probability

EPSS
0.77%
Percentile
73.52%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.