Описание
Argo CD allows cross-site scripting on repositories page
Impact
This vulnerability allows an attacker to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, and deleting Kubernetes resources. Due to the improper filtering of URL protocols in the repository page, an attacker can achieve cross-site scripting with permission to edit the repository.
In ui/src/app/shared/components/urls.ts, the following code exists to parse the repository URL.
Since this code doesn't validate the protocol of repository URLs, it's possible to inject javascript: URLs here.
As the return value of this function is used in the href attribute of the a tag, it's possible to achieve cross-site scripting by using javascript: URLs.
Browsers may return the proper hostname for javascript: URLs, allowing exploitation of this vulnerability.
Patches
A patch for this vulnerability has been released in the following Argo CD versions:
- v3.0.4
- v2.14.13
- v2.13.8
The patch incorporates a way to validate the URL being passed in. Returning null if the validation fails.
Workarounds
There are no workarounds other than depending on the browser to filter the URL.
Credits
Disclosed by @Ry0taK RyotaK.
For more information
Open an issue in the Argo CD issue tracker or discussions Join us on Slack in channel #argo-cd
Пакеты
github.com/argoproj/argo-cd
>= 1.2.0-rc1, <= 1.8.7
Отсутствует
github.com/argoproj/argo-cd/v2
>= 2.0.0-rc3, < 2.13.8
2.13.8
github.com/argoproj/argo-cd/v2
>= 2.14.0-rc1, < 2.14.13
2.14.13
github.com/argoproj/argo-cd/v3
< 3.0.4
3.0.4
Связанные уязвимости
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.13.8, 2.14.13, and 3.0.4, an attacker can perform arbitrary actions on behalf of the victim via the API. Due to the improper filtering of URL protocols in the repository page, an attacker can achieve cross-site scripting with permission to edit the repository. This issue has been patched in versions 2.13.8, 2.14.13, and 3.0.4.
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.13.8, 2.14.13, and 3.0.4, an attacker can perform arbitrary actions on behalf of the victim via the API. Due to the improper filtering of URL protocols in the repository page, an attacker can achieve cross-site scripting with permission to edit the repository. This issue has been patched in versions 2.13.8, 2.14.13, and 3.0.4.
Уязвимость декларативного инструмента непрерывной доставки GitOps для Kubernetes Argo CD, связанная с непринятием мер по защите структуры веб-страницы, позволяющая нарушителю проводить межсайтовые сценарные атаки