SCA: security update for github.com/argoproj/argo-cd/v2 (GHSA-jwv5-8mqv-g387)

medium Tenable Cloud Security Plugin ID 416613

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Due to the improper URL
protocols filtering of links specified in the `link.argocd.argoproj.io` annotations in the application
summary component, an attacker can achieve cross-site scripting with elevated permissions. All unpatched
versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a
malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will
execute with the victim's permissions (up to and including admin). This vulnerability allows an attacker
to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, and
deleting Kubernetes resources. A patch for this vulnerability has been released in Argo CD versions
v2.10.3 v2.9.8, and v2.8.12. There are no completely-safe workarounds besides upgrading. The safest
alternative, if upgrading is not possible, would be to create a Kubernetes admission controller to reject
any resources with an annotation starting with link.argocd.argoproj.io or reject the resource if the value
use an improper URL protocol. This validation will need to be applied in all clusters managed by ArgoCD.
(CVE-2024-28175)

See Also

https://github.com/advisories/GHSA-jwv5-8mqv-g387

Plugin Details

Severity: Medium

ID: 416613

Version: Revision 1.9

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 9.16

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.1

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N

CVSS Score Source: CVE-2024-28175

CVSS v3

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 3/15/2024

Vulnerability Publication Date: 3/13/2024

Reference Information

CVE: CVE-2024-28175

cwe: CWE-79