CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 0CVE-2024-28175 – Cross-site scripting on application summary component in argo-cd
https://notcve.org/view.php?id=CVE-2024-28175
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Due to the improper URL protocols filtering of links specified in the `link.argocd.argoproj.io` annotations in the application summary component, an attacker can achieve cross-site scripting with elevated permissions. All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will execute with the victim's permissions (up to and including admin). This vulnerability allows an attacker to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, and deleting Kubernetes resources. • https://github.com/argoproj/argo-cd/commit/479b5544b57dc9ef767d49f7003f39602c480b71 https://github.com/argoproj/argo-cd/security/advisories/GHSA-jwv5-8mqv-g387 https://access.redhat.com/security/cve/CVE-2024-28175 https://bugzilla.redhat.com/show_bug.cgi?id=2268518 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 0%CPEs: 4EXPL: 1CVE-2024-22424 – Cross-Site Request Forgery (CSRF) in github.com/argoproj/argo-cd
https://notcve.org/view.php?id=CVE-2024-22424
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The Argo CD API prior to versions 2.10-rc2, 2.9.4, 2.8.8, and 2.7.15 are vulnerable to a cross-server request forgery (CSRF) attack when the attacker has the ability to write HTML to a page on the same parent domain as Argo CD. A CSRF attack works by tricking an authenticated Argo CD user into loading a web page which contains code to call Argo CD API endpoints on the victim’s behalf. For example, an attacker could send an Argo CD user a link to a page which looks harmless but in the background calls an Argo CD API endpoint to create an application running malicious code. Argo CD uses the “Lax” SameSite cookie policy to prevent CSRF attacks where the attacker controls an external domain. • https://github.com/argoproj/argo-cd/issues/2496 https://github.com/argoproj/argo-cd/pull/16860 https://github.com/argoproj/argo-cd/security/advisories/GHSA-92mw-q256-5vwg https://access.redhat.com/security/cve/CVE-2024-22424 https://bugzilla.redhat.com/show_bug.cgi?id=2259105 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-40026 – Path traversal allows leaking out-of-bound Helm charts from Argo CD repo-server
https://notcve.org/view.php?id=CVE-2023-40026
Argo CD is a declarative continuous deployment framework for Kubernetes. In Argo CD versions prior to 2.3 (starting at least in v0.1.0, but likely in any version using Helm before 2.3), using a specifically-crafted Helm file could reference external Helm charts handled by the same repo-server to leak values, or files from the referenced Helm Chart. This was possible because Helm paths were predictable. The vulnerability worked by adding a Helm chart that referenced Helm resources from predictable paths. Because the paths of Helm charts were predictable and available on an instance of repo-server, it was possible to reference and then render the values and resources from other existing Helm charts regardless of permissions. • https://argo-cd.readthedocs.io/en/stable/operator-manual/installation/#supported-versions https://github.com/argoproj/argo-cd/security/advisories/GHSA-6jqw-jwf5-rp8h • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 1CVE-2023-40025 – Argo CD web terminal session doesn't expire
https://notcve.org/view.php?id=CVE-2023-40025
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting from version 2.6.0 have a bug where open web terminal sessions do not expire. This bug allows users to send any websocket messages even if the token has already expired. The most straightforward scenario is when a user opens the terminal view and leaves it open for an extended period. This allows the user to view sensitive information even when they should have been logged out already. • https://github.com/argoproj/argo-cd/commit/e047efa8f9518c54d00d2e4493b64bc4dba98478 https://github.com/argoproj/argo-cd/security/advisories/GHSA-c8xw-vjgf-94hr https://access.redhat.com/security/cve/CVE-2023-40025 https://bugzilla.redhat.com/show_bug.cgi?id=2301445 • CWE-613: Insufficient Session Expiration •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2022-41354 – ArgoCD: Authenticated but unauthorized users may enumerate Application names via the API
https://notcve.org/view.php?id=CVE-2022-41354
An access control issue in Argo CD v2.4.12 and below allows unauthenticated attackers to enumerate existing applications. An information disclosure flaw was found in Argo CD. This issue may allow unauthorized users to enumerate application names by inspecting API error messages and could use the discovered application names as the starting point of another attack. For example, the attacker might use their knowledge of an application name to convince an administrator to grant higher privileges. • http://argo.com https://github.com/argoproj/argo-cd/security/advisories/GHSA-2q5c-qw9c-fmvq https://github.com/chunklhit/cve/blob/master/argo/argo-cd/application_enumeration.md https://access.redhat.com/security/cve/CVE-2022-41354 https://bugzilla.redhat.com/show_bug.cgi?id=2167820 • CWE-203: Observable Discrepancy •