CVE-2022-31102

Name of the Vulnerable Software and Affected Versions Argo CD versions 2.3.0 through 2.3.5 Argo CD versions 2.4.0 through 2.4.4

Description The issue is a cross-site scripting (XSS) bug that could allow an attacker to inject arbitrary JavaScript in the "/auth/callback" page in a victim's browser. This vulnerability only affects Argo CD instances with single sign-on (SSO) enabled. The exploit requires the attacker to have access to the API server's encryption key, a method to add a cookie to the victim's browser, and the ability to convince the victim to visit a malicious "/auth/callback" link. The vulnerability is classified as low severity because access to the API server's encryption key already grants a high level of access.

Recommendations For Argo CD versions 2.3.0 through 2.3.5, update to version 2.3.6 to resolve the issue. For Argo CD versions 2.4.0 through 2.4.4, update to version 2.4.5 to resolve the issue. As a temporary workaround, consider disabling SSO until a patch is applied. Restrict access to the "/auth/callback" page to minimize the risk of exploitation.