Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2024-28175
CVE-2024-28175:
Chainguard vulnerability analysis and mitigation
Overview
CVE-2024-28175 is a critical cross-site scripting (XSS) vulnerability discovered in Argo CD, a declarative GitOps continuous delivery tool for Kubernetes. The vulnerability affects all unpatched versions starting from v1.0.0 and stems from improper URL protocols filtering of links specified in the link.argocd.argoproj.io annotations within the application summary component. The vulnerability was disclosed on March 13, 2024, and was assigned a CVSS score of 9.0 (Critical) (GitHub Advisory).
Technical details
The vulnerability exists due to insufficient validation of URL protocols in the application summary component of Argo CD. When malicious users inject javascript: links in the UI through the link.argocd.argoproj.io annotations, these links can execute arbitrary JavaScript code when clicked by other users. The executed code runs with the victim's permissions, which could extend up to full administrative privileges. The vulnerability has been assigned CWE-79 (Improper Neutralization of Input During Web Page Generation) and received a CVSS v3.1 base score of 9.0 with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H (NVD, GitHub Advisory).
Impact
The vulnerability allows attackers to perform arbitrary actions on behalf of victims via the API, including creating, modifying, and deleting Kubernetes resources. When exploited, the attacker can execute code with the permissions of the victim user, potentially gaining full administrative access to the system. This could lead to unauthorized access to confidential information within deployments and potentially serve as a launchpad for further attacks (Security Online).
Mitigation and workarounds
The vulnerability has been patched in Argo CD versions v2.10.3, v2.9.8, and v2.8.12. For organizations unable to upgrade immediately, the recommended workaround is to implement a Kubernetes admission controller that rejects resources with annotations starting with link.argocd.argoproj.io or those using improper URL protocols. This validation must be applied across all ArgoCD-managed clusters. Users are advised to avoid clicking external links presented in the UI and carefully limit permissions for editing Kubernetes resource manifests through RBAC configuration (GitHub Advisory).
Community reactions
The vulnerability was discovered and reported by security researcher RyotaK (@Ry0taK). The Argo CD team responded promptly by releasing patches and providing detailed mitigation guidance (GitHub Advisory).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management