Upgrade Argo CD Now to Patch Critical CSRF Vulnerability

CVECVE-2024-22424
CVSScvssV3_1: 8.4
SourceCVE-2024-22424

Argo CD is an open source GitOps continuous delivery tool for Kubernetes that is used by many companies. Unfortunately, versions prior to 2.10-rc2, 2.9.4, 2.8.8, and 2.7.15 are affected by a serious cross-site request forgery (CSRF) vulnerability.

CSRF attacks work by tricking an authenticated user into unknowingly making requests on a website. With Argo CD, an attacker could craft a link or embed code that deploys malicious applications without the user’s knowledge when clicked. This is possible even if the attacker controls a different domain than Argo CD.

The vulnerability exists because Argo CD did not properly validate the content type of requests. An attacker could bypass checks meant to prevent CSRF by setting a non-sensitive content type. This allowed arbitrary JSON requests to be made without detection.

It is recommended that all Argo CD users immediately upgrade to the latest patched versions to close this security hole. Version 2.10-rc2, 2.9.4, 2.8.8, and 2.7.15 fix the content type validation and prevent CSRF attacks on the API.

Take action now to protect your Kubernetes clusters from this critical remote code execution vulnerability in Argo CD. Keeping your software up-to-date is one of the best ways to stay secure.

References