This article discusses a vulnerability in Argo CD that allows attackers to perform actions like creating and deleting Kubernetes resources, and facilitates cross-site scripting due to improper URL protocol filtering. Patches have been released in specific versions to address this issue, with no effective workarounds available.
#ArgoCD #URLVulnerability
#ArgoCD #URLVulnerability
Keypoints
- The vulnerability enables arbitrary actions via the API, including resource management and cross-site scripting.
- The root cause is improper validation of URL protocols in the repository URL handling code.
- Affected code snippets do not validate or filter javascript: URLs, leading to cross-site scripting risks.
- Patches are released in versions v3.0.4, v2.14.13, and v2.13.8 to fix the validation issue.
- There are no effective workarounds other than browser filtering, emphasizing the importance of applying updates.
Read More: https://github.com/advisories/GHSA-2hj5-g64g-fp6p