CVE-2022-31035

Name of the Vulnerable Software and Affected Versions Argo CD versions 1.0.0 through 2.4.0 Argo CD versions 2.1.0 through 2.1.15 Argo CD versions 2.2.0 through 2.2.9 Argo CD versions 2.3.0 through 2.3.4

Description Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The issue is related to a cross-site scripting (XSS) bug, allowing a malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will execute with the victim's permissions, up to and including admin. This could enable the creation, modification, and deletion of Kubernetes resources.

Recommendations For versions prior to 2.1.16, upgrade to version 2.1.16 or later. For versions prior to 2.2.10, upgrade to version 2.2.10 or later. For versions prior to 2.3.5, upgrade to version 2.3.5 or later. For versions prior to 2.4.1, upgrade to version 2.4.1 or later. As a temporary workaround, consider avoiding clicking external links presented in the UI and carefully limiting who has permissions to edit resource manifests.