CVE-2022-31035

External URLs for Deployments can include javascript in argo-cd

Description

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a `javascript:` link in the UI. When clicked by a victim user, the script will execute with the victim's permissions (up to and including admin). The script would be capable of doing anything which is possible in the UI or via the API, such as creating, modifying, and deleting Kubernetes resources. A patch for this vulnerability has been released in the following Argo CD versions: v2.4.1, v2.3.5, v2.2.10 and v2.1.16. There are no completely-safe workarounds besides upgrading.

Category

9.0
CVSS
Severity: Critical
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.21%
Vendor Advisory readthedocs.io
Affected: argoproj argo-cd
Published at:
Updated at:

References

Link Tags
https://github.com/argoproj/argo-cd/security/advisories/GHSA-h4w9-6x78-8vrj third party advisory mitigation
https://github.com/argoproj/argo-cd/commit/8bc3ef690de29c68a36f473908774346a44d4038 third party advisory patch
https://argo-cd.readthedocs.io/en/stable/user-guide/external-url/ vendor advisory

Frequently Asked Questions

What is the severity of CVE-2022-31035?
CVE-2022-31035 has been scored as a critical severity vulnerability.
How to fix CVE-2022-31035?
To fix CVE-2022-31035, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2022-31035 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2022-31035 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-31035?
CVE-2022-31035 affects argoproj argo-cd.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.