CWE
20
Advisory Published
Updated

CVE-2022-24905: Argo CD login screen allows message spoofing if SSO is enabled

First published: Fri May 20 2022(Updated: )

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was found in Argo CD prior to versions 2.3.4, 2.2.9, and 2.1.15 that allows an attacker to spoof error messages on the login screen when single sign on (SSO) is enabled. In order to exploit this vulnerability, an attacker would have to trick the victim to visit a specially crafted URL which contains the message to be displayed. As far as the research of the Argo CD team concluded, it is not possible to specify any active content (e.g. Javascript) or other HTML fragments (e.g. clickable links) in the spoofed message. A patch for this vulnerability has been released in Argo CD versions 2.3.4, 2.2.9, and 2.1.15. There are currently no known workarounds.

Credit: security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
Linuxfoundation Argo-cd>=0.6.1<2.1.15
Linuxfoundation Argo-cd>=2.2.0<2.2.9
Linuxfoundation Argo-cd>=2.3.0<2.3.4
Argoproj Argo Cd>=0.6.1<2.1.15
Argoproj Argo Cd>=2.2.0<2.2.9
Argoproj Argo Cd>=2.3.0<2.3.4

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Frequently Asked Questions

  • What is the vulnerability CVE-2022-24905?

    The vulnerability CVE-2022-24905 is a vulnerability found in Argo CD prior to versions 2.3.4, 2.2.9, and 2.1.15 that allows an attacker to spoof error messages on the login screen when single sign on (SSO) is enabled.

  • How can an attacker exploit CVE-2022-24905?

    To exploit CVE-2022-24905, an attacker needs to enable single sign-on (SSO) and spoof error messages on the login screen of Argo CD.

  • What is the severity of CVE-2022-24905?

    The severity of CVE-2022-24905 is medium with a CVSS score of 4.3.

  • Which versions of Argo CD are affected by CVE-2022-24905?

    Argo CD versions prior to 2.3.4, 2.2.9, and 2.1.15 are affected by CVE-2022-24905.

  • How can I fix CVE-2022-24905?

    To fix CVE-2022-24905, update Argo CD to version 2.3.4, 2.2.9, or 2.1.15.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203