CVE-2022-31035: 
Argo CD vulnerability analysis and mitigation

CVE-2022-31035 affects Argo CD, a declarative GitOps continuous delivery tool for Kubernetes, in versions 1.0.0 through 2.1.15, 2.2.9, 2.3.4, and 2.4.0. The vulnerability is a cross-site scripting (XSS) issue that allows malicious users to inject javascript links in the UI (GitHub Advisory).

The vulnerability is a cross-site scripting (XSS) bug that enables attackers to inject malicious javascript links into the UI through external URLs for deployments. When clicked by a victim user, the injected script executes with the victim's permissions, which could include admin privileges. The vulnerability has been assigned a CVSS v3.1 base score of 9.1 (Critical), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H (GitHub Advisory).

The impact of this vulnerability is severe as the executed script can perform any action possible through the UI or API, including creating, modifying, and deleting Kubernetes resources. The scope of the impact depends on the victim's permission level, with the most severe case being when an admin user clicks the malicious link (GitHub Advisory).

Patches have been released in Argo CD versions v2.4.1, v2.3.5, v2.2.10, and v2.1.16. There are no completely-safe workarounds besides upgrading. As temporary mitigations, users should avoid clicking external links presented in the UI and carefully limit who has permissions to edit resource manifests through RBAC configuration (GitHub Advisory).

The vulnerability was disclosed by ADA Logics during a security audit of the Argo project sponsored by CNCF and facilitated by OSTIF. Credit for the discovery goes to Adam Korczynski and David Korczynski for their work on the audit (GitHub Advisory).