CVE-2021-23347

Name of the Vulnerable Software and Affected Versions argo-cd versions prior to 1.7.13 argo-cd versions 1.8.0 through 1.8.6

Description The issue is related to Cross-site Scripting (XSS) where a malicious SSO provider connected to Argo CD could send back a malicious error message containing JavaScript to the user. This could result in the execution of arbitrary JavaScript code on the client. The exploitation of this vulnerability is believed to be possible only when Argo CD is connected to a compromised or malicious SSO provider.

Recommendations For argo-cd versions prior to 1.7.13, update to version 1.7.14 or later. For argo-cd versions 1.8.0 through 1.8.6, update to version 1.8.7 or later. As a temporary workaround, consider not using SSO with the CLI when you don't trust your SSO provider.