CVE-2022-31035
📋 TL;DR
CVE-2022-31035 is a cross-site scripting (XSS) vulnerability in Argo CD that allows attackers to inject malicious JavaScript links into the UI. When clicked by authenticated users, the script executes with the victim's permissions, potentially granting full administrative control over Kubernetes resources. All Argo CD installations from version 1.0.0 are affected until patched.
💻 Affected Systems
- Argo CD
📦 What is this software?
Argo Cd by Argoproj
Argo Cd by Argoproj
Argo Cd by Argoproj
Argo Cd by Argoproj
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of Kubernetes clusters managed by Argo CD, allowing attackers to create, modify, or delete any Kubernetes resource, potentially leading to data exfiltration, service disruption, or lateral movement.
Likely Case
Privilege escalation where authenticated users with lower privileges can gain administrative access, leading to unauthorized resource modifications or configuration changes.
If Mitigated
Limited impact if proper network segmentation, least privilege access, and monitoring are in place, though the vulnerability still presents significant risk.
🎯 Exploit Status
Exploitation requires the attacker to have some level of access to create or modify content in Argo CD that can be viewed by other users.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v2.4.1, v2.3.5, v2.2.10, v2.1.16
Vendor Advisory: https://github.com/argoproj/argo-cd/security/advisories/GHSA-h4w9-6x78-8vrj
Restart Required: Yes
Instructions:
1. Identify current Argo CD version. 2. Backup configurations and data. 3. Upgrade to patched version using Helm, kubectl, or deployment method. 4. Restart Argo CD components. 5. Verify upgrade and functionality.
🔧 Temporary Workarounds
No safe workarounds
allThe vendor states there are no completely-safe workarounds besides upgrading.
🧯 If You Can't Patch
- Implement strict network controls to limit Argo CD UI access to trusted users only
- Apply principle of least privilege to all Argo CD user accounts and monitor for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check Argo CD version via UI or API; versions before v2.4.1, v2.3.5, v2.2.10, or v2.1.16 are vulnerable.Check Version:
kubectl get pods -n argocd -l app.kubernetes.io/name=argocd-server -o jsonpath='{.items[0].spec.containers[0].image}'Verify Fix Applied:
Confirm Argo CD version is v2.4.1, v2.3.5, v2.2.10, or v2.1.16 or later via UI or API.📡 Detection & Monitoring
Log Indicators:
- Unusual UI interactions, unexpected JavaScript execution in browser logs, suspicious API calls from user sessions
Network Indicators:
- Unexpected outbound connections from Argo CD pods, unusual patterns in Kubernetes API requests
SIEM Query:
source="argocd" AND (event="javascript_execution" OR event="unusual_ui_action")🔗 References
- https://argo-cd.readthedocs.io/en/stable/user-guide/external-url/
- https://github.com/argoproj/argo-cd/commit/8bc3ef690de29c68a36f473908774346a44d4038
- https://github.com/argoproj/argo-cd/security/advisories/GHSA-h4w9-6x78-8vrj
- https://argo-cd.readthedocs.io/en/stable/user-guide/external-url/
- https://github.com/argoproj/argo-cd/commit/8bc3ef690de29c68a36f473908774346a44d4038
- https://github.com/argoproj/argo-cd/security/advisories/GHSA-h4w9-6x78-8vrj
