VYPR
← All advisories
Critical severityNVD Advisory· Published Mar 13, 2024· Updated Aug 21, 2024

Cross-site scripting on application summary component in argo-cd

CVE-2024-28175

Description

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Due to the improper URL protocols filtering of links specified in the link.argocd.argoproj.io annotations in the application summary component, an attacker can achieve cross-site scripting with elevated permissions. All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will execute with the victim's permissions (up to and including admin). This vulnerability allows an attacker to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, and deleting Kubernetes resources. A patch for this vulnerability has been released in Argo CD versions v2.10.3 v2.9.8, and v2.8.12. There are no completely-safe workarounds besides upgrading. The safest alternative, if upgrading is not possible, would be to create a Kubernetes admission controller to reject any resources with an annotation starting with link.argocd.argoproj.io or reject the resource if the value use an improper URL protocol. This validation will need to be applied in all clusters managed by ArgoCD.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/argoproj/argo-cdGo
>= 1.0.0, <= 1.8.7
github.com/argoproj/argo-cd/v2Go
>= 2.9.0, < 2.9.82.9.8
github.com/argoproj/argo-cd/v2Go
>= 2.10.0, < 2.10.32.10.3
github.com/argoproj/argo-cd/v2Go
>= 2.0.0, < 2.8.122.8.12

Affected products

1

Patches

1
479b5544b57d

Merge pull request from GHSA-jwv5-8mqv-g387

https://github.com/argoproj/argo-cdRyotaKMar 13, 2024via ghsa
commit
3 files changed · +89 13
  • ui/src/app/applications/components/application-summary/application-summary.tsx+8 8 modified
    @@ -30,6 +30,7 @@ import {EditAnnotations} from './edit-annotations';
 
 import './application-summary.scss';
 import {DeepLinks} from '../../../shared/components/deep-links';
+import {ExternalLinks} from '../application-urls';
 
 function swap(array: any[], a: number, b: number) {
     array = array.slice();
@@ -341,20 +342,19 @@ export const ApplicationSummary = (props: ApplicationSummaryProps) => {
             )
         }
     ];
-
-    const urls = app.status.summary.externalURLs || [];
+    const urls = ExternalLinks(app.status.summary.externalURLs);
     if (urls.length > 0) {
         attributes.push({
             title: 'URLs',
             view: (
                 <React.Fragment>
-                    {urls
-                        .map(item => item.split('|'))
-                        .map((parts, i) => (
-                            <a key={i} href={parts.length > 1 ? parts[1] : parts[0]} target='__blank'>
-                                {parts[0]} &nbsp;
+                    {urls.map((url, i) => {
+                        return (
+                            <a key={i} href={url.ref} target='__blank'>
+                                {url.title} &nbsp;
                             </a>
-                        ))}
+                        );
+                    })}
                 </React.Fragment>
             )
         });
  • ui/src/app/applications/components/application-urls.test.ts+67 1 modified
    @@ -1,4 +1,4 @@
-import {ExternalLink, InvalidExternalLinkError} from './application-urls';
+import { ExternalLink, ExternalLinks, InvalidExternalLinkError } from './application-urls';
 
 test('rejects malicious URLs', () => {
     expect(() => {
@@ -7,6 +7,16 @@ test('rejects malicious URLs', () => {
     expect(() => {
         const _ = new ExternalLink('data:text/html;<h1>hi</h1>');
     }).toThrowError(InvalidExternalLinkError);
+    expect(() => {
+        const _ = new ExternalLink('title|data:text/html;<h1>hi</h1>');
+    }).toThrowError(InvalidExternalLinkError);
+    expect(() => {
+        const _ = new ExternalLink('data:title|data:text/html;<h1>hi</h1>');
+    }).toThrowError(InvalidExternalLinkError);
+
+    expect(() => {
+        const _ = new ExternalLink('data:title|https://localhost:8080/applications');
+    }).not.toThrowError(InvalidExternalLinkError);
 });
 
 test('allows absolute URLs', () => {
@@ -18,3 +28,59 @@ test('allows relative URLs', () => {
     window.location = new URL('https://localhost:8080/applications');
     expect(new ExternalLink('/applications').ref).toEqual('/applications');
 });
+
+
+test('URLs format', () => {
+    expect(new ExternalLink('https://localhost:8080/applications')).toEqual({
+        ref: 'https://localhost:8080/applications',
+        title: 'https://localhost:8080/applications',
+    })
+    expect(new ExternalLink('title|https://localhost:8080/applications')).toEqual({
+        ref: 'https://localhost:8080/applications',
+        title: 'title',
+    })
+});
+
+
+test('malicious URLs from list to be removed', () => {
+    const urls: string[] = [
+        'javascript:alert("hi")',
+        'https://localhost:8080/applications',
+    ]
+    const links = ExternalLinks(urls);
+
+    expect(links).toHaveLength(1);
+    expect(links).toContainEqual({
+        ref: 'https://localhost:8080/applications',
+        title: 'https://localhost:8080/applications',
+    });
+});
+
+
+test('list to be sorted', () => {
+    const urls: string[] = [
+        'https://a',
+        'https://b',
+        'a|https://c',
+        'z|https://c',
+        'x|https://d',
+        'x|https://c',
+    ]
+    const links = ExternalLinks(urls);
+
+    // 'a|https://c',
+    // 'x|https://c',
+    // 'x|https://d',
+    // 'z|https://c',
+    // 'https://a',
+    // 'https://b',
+    expect(links).toHaveLength(6);
+    expect(links[0].title).toEqual('a')
+    expect(links[1].title).toEqual('x')
+    expect(links[1].ref).toEqual('https://c')
+    expect(links[2].title).toEqual('x')
+    expect(links[2].ref).toEqual('https://d')
+    expect(links[3].title).toEqual('z')
+    expect(links[4].title).toEqual('https://a')
+    expect(links[5].title).toEqual('https://b')
+});
  • ui/src/app/applications/components/application-urls.tsx+14 4 modified
    @@ -29,7 +29,7 @@ export class ExternalLink {
     }
 }
 
-export const ApplicationURLs = ({urls}: {urls: string[]}) => {
+export const ExternalLinks = (urls?: string[]) => {
     const externalLinks: ExternalLink[] = [];
     for (const url of urls || []) {
         try {
@@ -42,16 +42,26 @@ export const ApplicationURLs = ({urls}: {urls: string[]}) => {
 
     // sorted alphabetically & links with titles first
     externalLinks.sort((a, b) => {
-        if (a.title !== '' && b.title !== '') {
+        const hasTitle = (x: ExternalLink): boolean => {
+            return x.title !== x.ref && x.title !== '';
+        };
+
+        if (hasTitle(a) && hasTitle(b) && a.title !== b.title) {
             return a.title > b.title ? 1 : -1;
-        } else if (a.title === '') {
+        } else if (hasTitle(b) && !hasTitle(a)) {
             return 1;
-        } else if (b.title === '') {
+        } else if (hasTitle(a) && !hasTitle(b)) {
             return -1;
         }
         return a.ref > b.ref ? 1 : -1;
     });
 
+    return externalLinks;
+};
+
+export const ApplicationURLs = ({urls}: {urls: string[]}) => {
+    const externalLinks: ExternalLink[] = ExternalLinks(urls);
+
     return (
         ((externalLinks || []).length > 0 && (
             <div className='applications-list__external-links-icon-container'>

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.