Argo CD Cross-Site Scripting Vulnerability in Repository URL Handling

A cross-site scripting vulnerability has been identified in Argo CD, a GitOps continuous delivery tool for Kubernetes, prior to versions 2.13.8, 2.14.13, and 3.0.4. The issue arises from improper filtering of URL protocols on the repository page, allowing an attacker to inject malicious scripts that could be executed with permission to edit the repository. This exploitation could enable the attacker to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, or deleting Kubernetes resources.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts can be executed in the context of the user, potentially leading to unauthorized actions being performed on their behalf. In this case, it could allow an attacker to manipulate Kubernetes resources through the Argo CD API.

Reproduction

To reproduce this vulnerability, access the repository page in an affected version of Argo CD. Inject a 'javascript:' URL into the repository URL field, which will bypass the inadequate protocol filtering. The injected script will execute in the context of the user, demonstrating the cross-site scripting vulnerability.

Remediation

Users can update to Argo CD versions 2.13.8, 2.14.13, or 3.0.4, where this vulnerability has been patched. The patch includes improved validation of repository URLs to prevent the injection of malicious scripts.