Uploaded image for project: 'OpenShift GitOps'
  1. OpenShift GitOps
  2. GITOPS-3922

CVE-2023-49568 CSRF in github.com/argoproj/argo-cd [1.10]


    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Undefined Undefined
    • 1.10.2
    • 1.10.1
    • None
    • False
    • None
    • False
    • Hide
      Before this update, all versions of Argo CD v2.8.3 and later were vulnerable to cross-server request forgery (CSRF) attacks. As a result, Argo CD would accept non-GET requests even if they did not specify their content type. This update fixes the issue by upgrading the Argo CD to v.2.8.9 and patching this vulnerability in the Argo CD API.

      Breaking change: The Argo CD API will no longer accept non-GET requests that do not specify application or JSON as their content type. Although the accepted content types list is configurable, do not disable the content type check completely.

      Link: https://issues.redhat.com/browse/GITOPS-3922[GITOPS-3922]
      Before this update, all versions of Argo CD v2.8.3 and later were vulnerable to cross-server request forgery (CSRF) attacks. As a result, Argo CD would accept non-GET requests even if they did not specify their content type. This update fixes the issue by upgrading the Argo CD to v.2.8.9 and patching this vulnerability in the Argo CD API. IMPORTANT: Breaking change: The Argo CD API will no longer accept non-GET requests that do not specify application or JSON as their content type. Although the accepted content types list is configurable, do not disable the content type check completely. Link: https://issues.redhat.com/browse/GITOPS-3922 [ GITOPS-3922 ]

      UPDATE: This CVE is misnumbered- it should reference CVE-2024-22424 instead, not CVE-2023-49568. The content otherwise should all be correct.

      Description of problem:


      We need to upgrade argocd version to < v2.8.8

      Prerequisites (if any, like setup, operators/versions):

      Steps to Reproduce

       # <steps>


      Actual results:

      Expected results:

      Reproducibility (Always/Intermittent/Only Once):

      Acceptance criteria: 


      Definition of Done:

      Build Details:

      Additional info (Such as Logs, Screenshots, etc):



              rescott1 Regina Scott (Inactive)
              rescott1 Regina Scott (Inactive)
              0 Vote for this issue
              3 Start watching this issue
