data/reports: add GO-2024-2646.yaml Aliases: CVE-2024-28175, GHSA-jwv5-8mqv-g387 Fixes golang/vulndb#2646 Change-Id: I0549f931db7cb4e67a7ffbb23d1714cf00bf7e8e Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/573555 Reviewed-by: Damien Neil <dneil@google.com> Run-TryBot: Tim King <taking@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

commit: 9777e1c8cddb0d190405724d91db2599c6896c8e [log] [tgz]
author: Tim King <taking@google.com> Thu Mar 21 21:50:54 2024 +0000
committer: Tim King <taking@google.com> Fri Mar 22 18:45:33 2024 +0000
tree: fbccb11f22a344f131327ac0bed0272a7717b394
parent: cd7c1198a568d4854097c5f2a6fefcf95c9112fd [diff]
diff --git a/data/osv/GO-2024-2646.json b/data/osv/GO-2024-2646.json
new file mode 100644
index 0000000..d7a56ad
--- /dev/null
+++ b/data/osv/GO-2024-2646.json

@@ -0,0 +1,81 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2646",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-28175",
+    "GHSA-jwv5-8mqv-g387"
+  ],
+  "summary": "Cross-site scripting on application summary component in github.com/argoproj/argo-cd/v2",
+  "details": "Due to the improper URL protocols filtering of links specified in the link.argocd.argoproj.io annotations in the application summary component, an attacker can achieve cross-site scripting with elevated permissions. A malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will execute with the victim's permissions (up to and including admin). This vulnerability allows an attacker to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, and deleting Kubernetes resources.",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/argoproj/argo-cd",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "1.0.0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    },
+    {
+      "package": {
+        "name": "github.com/argoproj/argo-cd/v2",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "2.0.0"
+            },
+            {
+              "fixed": "2.8.12"
+            },
+            {
+              "introduced": "2.9.0"
+            },
+            {
+              "fixed": "2.9.8"
+            },
+            {
+              "introduced": "2.10.0"
+            },
+            {
+              "fixed": "2.10.3"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jwv5-8mqv-g387"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/argoproj/argo-cd/commit/479b5544b57dc9ef767d49f7003f39602c480b71"
+    }
+  ],
+  "credits": [
+    {
+      "name": "@Ry0taK, @agaudreault, and @crenshaw-dev"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2646"
+  }
+}
\ No newline at end of file

diff --git a/data/reports/GO-2024-2646.yaml b/data/reports/GO-2024-2646.yaml
new file mode 100644
index 0000000..d9f8fb2
--- /dev/null
+++ b/data/reports/GO-2024-2646.yaml

@@ -0,0 +1,39 @@
+id: GO-2024-2646
+modules:
+    - module: github.com/argoproj/argo-cd
+      versions:
+        - introduced: 1.0.0
+      vulnerable_at: 1.8.6
+    - module: github.com/argoproj/argo-cd/v2
+      versions:
+        - introduced: 2.0.0
+          fixed: 2.8.12
+        - introduced: 2.9.0
+          fixed: 2.9.8
+        - introduced: 2.10.0
+          fixed: 2.10.3
+      vulnerable_at: 2.10.2
+summary: |-
+    Cross-site scripting on application summary component in
+    github.com/argoproj/argo-cd/v2
+description: |-
+    Due to the improper URL protocols filtering of links specified in the
+    link.argocd.argoproj.io annotations in the application summary component, an
+    attacker can achieve cross-site scripting with elevated permissions. A malicious
+    user to inject a javascript: link in the UI. When clicked by a victim user, the
+    script will execute with the victim's permissions (up to and including admin).
+    This vulnerability allows an attacker to perform arbitrary actions on behalf of
+    the victim via the API, such as creating, modifying, and deleting Kubernetes
+    resources.
+cves:
+    - CVE-2024-28175
+ghsas:
+    - GHSA-jwv5-8mqv-g387
+credits:
+    - '@Ry0taK, @agaudreault, and @crenshaw-dev'
+references:
+    - advisory: https://github.com/argoproj/argo-cd/security/advisories/GHSA-jwv5-8mqv-g387
+    - fix: https://github.com/argoproj/argo-cd/commit/479b5544b57dc9ef767d49f7003f39602c480b71
+notes:
+    - create: found alias BIT-argo-cd-2024-28175 that is not a GHSA or CVE
+    - Fix is in typescript code.
commit	9777e1c8cddb0d190405724d91db2599c6896c8e	[log] [tgz]
author	Tim King <taking@google.com>	Thu Mar 21 21:50:54 2024 +0000
committer	Tim King <taking@google.com>	Fri Mar 22 18:45:33 2024 +0000
tree	fbccb11f22a344f131327ac0bed0272a7717b394
parent	cd7c1198a568d4854097c5f2a6fefcf95c9112fd [diff]