CVE-2021-23347
published 2021-03-03CVE-2021-23347: The package github.com/argoproj/argo-cd/cmd before 1.7.13, from 1.8.0 and before 1.8.6 are vulnerable to Cross-site Scripting (XSS) the SSO provider connected…
PriorityP417medium4.8CVSS 3.1
AVNACLPRHUIRSCCLILAN
EPSS
0.53%
41.0th percentile
The package github.com/argoproj/argo-cd/cmd before 1.7.13, from 1.8.0 and before 1.8.6 are vulnerable to Cross-site Scripting (XSS) the SSO provider connected to Argo CD would have to send back a malicious error message containing JavaScript to the user.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| argoproj | argo_cd | < 1.7.13 | 1.7.13 |
| argoproj | argo_cd | >= 1.8.0 < 1.8.6 | 1.8.6 |
| github.com | argoproj_argo-cd | >= 0 < 1.7.13 | 1.7.13 |
| github.com | argoproj_argo-cd | >= 1.8.0 < 1.8.6 | 1.8.6 |
| github.com | argoproj_argo-cd_cmd | >= 1.8.0 < unspecified | unspecified |
| github.com | argoproj_argo-cd_cmd | >= unspecified < 1.7.13 | 1.7.13 |
| github.com | argoproj_argo-cd_cmd | >= unspecified < 1.8.6 | 1.8.6 |
| github.com | argoproj_argo-cd_v2 | >= 0 < 1.7.13 | 1.7.13 |
| github.com | argoproj_argo-cd_v2 | >= 1.8.0 < 1.8.6 | 1.8.6 |
CVSS provenance
nvdv3.14.8MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Possible XSS when using SSO with the CLI in github.com/argoproj/argo-cd
osv·2024-08-21
CVE-2021-23347 Possible XSS when using SSO with the CLI in github.com/argoproj/argo-cd
Possible XSS when using SSO with the CLI in github.com/argoproj/argo-cd
Possible XSS when using SSO with the CLI in github.com/argoproj/argo-cd
GHSA
Possible XSS when using SSO with the CLI in github.com/argoproj/argo-cd/v2
ghsa·2021-05-21
CVE-2021-23347 [MEDIUM] CWE-79 Possible XSS when using SSO with the CLI in github.com/argoproj/argo-cd/v2
Possible XSS when using SSO with the CLI in github.com/argoproj/argo-cd/v2
### Impact
When using SSO with the Argo CD CLI, a malicious SSO provider could have sent specially crafted error message that would result in XSS on the client by means of executing arbitrary JavaScript code.
We believe the exploitation of this vulnerability is only be possible when Argo CD is connected to a compromised/malicious SSO provider.
### Patches
A patch for this vulnerability is available with the v1.8.7 and v1.7.14 releases of Argo CD.
### Workarounds
* Do not use SSO with the CLI when you don't trust your SSO provider
If you have any questions or comments about this advisory:
* Open an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://gith
OSV
Possible XSS when using SSO with the CLI in github.com/argoproj/argo-cd/v2
osv·2021-05-21
CVE-2021-23347 [MEDIUM] Possible XSS when using SSO with the CLI in github.com/argoproj/argo-cd/v2
Possible XSS when using SSO with the CLI in github.com/argoproj/argo-cd/v2
### Impact
When using SSO with the Argo CD CLI, a malicious SSO provider could have sent specially crafted error message that would result in XSS on the client by means of executing arbitrary JavaScript code.
We believe the exploitation of this vulnerability is only be possible when Argo CD is connected to a compromised/malicious SSO provider.
### Patches
A patch for this vulnerability is available with the v1.8.7 and v1.7.14 releases of Argo CD.
### Workarounds
* Do not use SSO with the CLI when you don't trust your SSO provider
If you have any questions or comments about this advisory:
* Open an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://gith
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-03-03
Published