1. Home
  2. CVE Database
  3. CVE-2022-31035
CRITICAL · 9.0

CVE-2022-31035

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to i...

Vulnerability Description

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a `javascript:` link in the UI. When clicked by a victim user, the script will execute with the victim's permissions (up to and including admin). The script would be capable of doing anything which is possible in the UI or via the API, such as creating, modifying, and deleting Kubernetes resources. A patch for this vulnerability has been released in the following Argo CD versions: v2.4.1, v2.3.5, v2.2.10 and v2.1.16. There are no completely-safe workarounds besides upgrading.

CVSS Score

9.0

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH

Affected Products

VendorProductVersions
ArgoprojArgo Cd>= 1.0.0, < 2.1.16

Related Weaknesses (CWE)

CWE-79

References

FAQ

What is CVE-2022-31035?

CVE-2022-31035 is a vulnerability with a CVSS score of 9.0 (CRITICAL). Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to i...

How severe is CVE-2022-31035?

CVE-2022-31035 has been rated CRITICAL with a CVSS base score of 9.0/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2022-31035?

Check the references section above for vendor advisories and patch information. Affected products include: Argoproj Argo Cd.