CVE-2024-22424

Name of the Vulnerable Software and Affected Versions Argo CD versions prior to 2.10-rc2, 2.9.4, 2.8.8, and 2.7.15

Description The issue is related to a cross-server request forgery (CSRF) attack. An attacker can trick an authenticated Argo CD user into loading a web page that contains code to call Argo CD API endpoints on the victim's behalf. This can be done by sending a link to a page that looks harmless but in the background calls an Argo CD API endpoint to create an application running malicious code. The attack is possible when the attacker has the ability to write HTML to a page on the same parent domain as Argo CD. The Content-Type header is not properly validated, allowing an attacker to bypass the browser's CORS check by setting the content type to something considered "not sensitive" such as text/plain. The browser wouldn't send the preflight request, and Argo CD would accept the contents and perform the requested action.

Recommendations To resolve the issue, upgrade to one of the following versions: 2.10-rc2, 2.9.4, 2.8.8, or 2.7.15. Note that the patch contains a breaking API change, and the Argo CD API will no longer accept non-GET requests that do not specify application/json as their Content-Type. The accepted content types list is configurable, but it is discouraged to disable the content type check completely. As a temporary workaround, consider restricting access to the Argo CD API endpoints to minimize the risk of exploitation. Avoid using the Content-Type header with values other than application/json in the affected API endpoints until the issue is resolved.