JWT audience claim is not verified
CVE-2023-22482

9.1CRITICAL

Key Information:

Vendor: Argoproj
Status: Argo-cd
Vendor: CVE Published:; 26 January 2023

What is CVE-2023-22482?

Argo CD, a continuous delivery tool for Kubernetes, suffers from a vulnerability that allows improper authorization due to insufficient validation of audience claims in signed tokens from OIDC providers. While it correctly validates the token signature, it does not check whether the token's audience is intended for Argo CD. This oversight allows an attacker to utilize tokens meant for other services, granting them unauthorized access and permissions within Argo CD. Affected users should upgrade to newer versions, as patches have been released in versions 2.6.0-rc3, 2.5.6, 2.4.19, and 2.3.13 to mitigate this risk. No workarounds are available.

Affected Version(s)

argo-cd >= 1.8.2, < 2.3.13 < 1.8.2, 2.3.13

argo-cd >= 2.4.0-rc1, < 2.4.19 < 2.4.0-rc1, 2.4.19

argo-cd >= 2.5.0-rc1, < 2.5.6 < 2.5.0-rc1, 2.5.6

References

https://github.com/argoproj/argo-cd/security/advisories/G...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 26, 2023
Vulnerability Reserved
Dec 29, 2022

Argoproj

What is CVE-2023-22482?

Affected Version(s)

References

CVSS V3.1

Timeline