CVE-2022-31035

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-31035

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-31035.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-31035

Aliases

Published

2022-06-27T19:10:11Z

Modified

2025-12-04T10:23:02.437579Z

Severity

9.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS Calculator

Summary

External URLs for Deployments can include javascript in argo-cd

Details

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will execute with the victim's permissions (up to and including admin). The script would be capable of doing anything which is possible in the UI or via the API, such as creating, modifying, and deleting Kubernetes resources. A patch for this vulnerability has been released in the following Argo CD versions: v2.4.1, v2.3.5, v2.2.10 and v2.1.16. There are no completely-safe workarounds besides upgrading.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/31xxx/CVE-2022-31035.json"
}

References

Affected packages

Git / github.com/argoproj/argo-cd

Affected ranges

Type

GIT

Repo

https://github.com/argoproj/argo-cd

Events

Introduced

c74ca22023cbee245cb83fb23224978fbe23703c

Fixed

903db5fe464032bd5a10bf32fe17639e76634c2a

Database specific

{
    "versions": [
        {
            "introduced": "1.0.0"
        },
        {
            "fixed": "2.1.16"
        }
    ]
}

Type

GIT

Repo

https://github.com/argoproj/argo-cd

Events

Introduced

6da92a8e8103ce4145bb0fe2b7e952be79c9ff0a

Fixed

8db0e57b738ff5b0b276031573576fdc3498c04f

Database specific

{
    "versions": [
        {
            "introduced": "2.2.0"
        },
        {
            "fixed": "2.2.10"
        }
    ]
}

Type

GIT

Repo

https://github.com/argoproj/argo-cd

Events

Introduced

fe427802293b090f43f91f5839393174df6c3b3a

Fixed

1287d24bfe47bcaa6e791e5ff12fa1c1bf57a442

Database specific

{
    "versions": [
        {
            "introduced": "2.3.0"
        },
        {
            "fixed": "2.3.5"
        }
    ]
}

Type

GIT

Repo

https://github.com/argoproj/argo-cd

Events

Introduced

91aefabc5b213a258ddcfe04b8e69bb4a2dd2566

Fixed

52e6025f8b565705025d029e8bed36d6caa5ecf7

Database specific

{
    "versions": [
        {
            "introduced": "2.4.0"
        },
        {
            "fixed": "2.4.1"
        }
    ]
}

Affected versions

v2.*

v2.2.0

v2.2.1

v2.2.2

v2.2.3

v2.2.4

v2.2.5

v2.2.6

v2.2.7

v2.2.8

v2.2.9

v2.3.0

v2.3.1

v2.3.2

v2.3.3

v2.3.4

v2.4.0