Cross-site Request Forgery (CSRF) Affecting github.com/argoproj/argo-cd/v2/server package, versions <2.7.16 >=2.8.0 <2.8.8 >=2.9.0 <2.9.4 >=2.10.0-rc1 <2.10.0-rc2


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.05% (23rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-GOLANG-GITHUBCOMARGOPROJARGOCDV2SERVER-6179657
  • published 19 Jan 2024
  • disclosed 19 Jan 2024
  • credit aphtrinh

How to fix?

Upgrade github.com/argoproj/argo-cd/v2/server to version 2.7.16, 2.8.8, 2.9.4, 2.10.0-rc2 or higher.

Overview

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) via the API endpoint handling. An attacker can execute unauthorized actions on behalf of an authenticated user by crafting a web page that makes API calls to the application without proper cross-origin resource sharing (CORS) validation.

Notes:

  1. This is only exploitable if the attacker has the ability to write HTML to a page on the same parent domain as the application.

  2. The Argo CD API will no longer accept non-GET requests which do not specify application/json as their Content-Type. The accepted content types list is configurable, and it is possible (but discouraged) to disable the content type check completely.

3)Browsers generally block such attacks by applying CORS policies to sensitive requests with sensitive content types. Specifically, browsers will send a “preflight request” for POSTs with content type “application/json” asking the destination API “are you allowed to accept requests from my domain?” If the destination API does not answer “yes,” the browser will block the request.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
8.3 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    High
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    Required
  • Scope (S)
    Changed
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    High
Expand this section

NVD

8.3 high