CVE-2022-31035 CRITICAL

CVE-2022-31035: External URLs for Deployments can include javascript in argo-cd

Vendor Argoproj

Product argo-cd

Weakness CWE-79 · XSS

Published June 27, 2022

Last update April 23, 2025

View on NVD All CVEs

CVSS base score

9.0/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

Description

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a `javascript:` link in the UI. When clicked by a victim user, the script will execute with the victim's permissions (up to and including admin). The script would be capable of doing anything which is possible in the UI or via the API, such as creating, modifying, and deleting Kubernetes resources. A patch for this vulnerability has been released in the following Argo CD versions: v2.4.1, v2.3.5, v2.2.10 and v2.1.16. There are no completely-safe workarounds besides upgrading.

Key dates

Disclosure timeline

June 27, 2022 CVE published

April 23, 2025 Record updated

Identifiers

CVE CVE-2022-31035

CWE CWE-79

CVSS 9.0 / CRITICAL

Affected versions

Vendor Argoproj

Product argo-cd

Affected >= 1.0.0, < 2.1.16

Vendor Argoproj

Product argo-cd

Affected >= 2.2.0, < 2.2.10

Vendor Argoproj

Product argo-cd

Affected >= 2.3.0, < 2.3.5

Vendor Argoproj

Product argo-cd

Affected >= 2.4.0, < 2.4.1