Cross-site Request Forgery (CSRF) Affecting github.com/argoproj/argo-cd/server package, versions *
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMARGOPROJARGOCDSERVER-6179655
- published 19 Jan 2024
- disclosed 19 Jan 2024
- credit aphtrinh
Introduced: 19 Jan 2024
CVE-2024-22424 Open this link in a new tabHow to fix?
A fix was pushed into the master branch but not yet published.
Overview
Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) via the API endpoint handling. An attacker can execute unauthorized actions on behalf of an authenticated user by crafting a web page that makes API calls to the application without proper cross-origin resource sharing (CORS) validation.
Notes:
This is only exploitable if the attacker has the ability to write HTML to a page on the same parent domain as the application.
The Argo CD API will no longer accept non-GET requests which do not specify application/json as their Content-Type. The accepted content types list is configurable, and it is possible (but discouraged) to disable the content type check completely.
3)Browsers generally block such attacks by applying CORS policies to sensitive requests with sensitive content types. Specifically, browsers will send a “preflight request” for POSTs with content type “application/json” asking the destination API “are you allowed to accept requests from my domain?” If the destination API does not answer “yes,” the browser will block the request.