JWT audience claim is not verified
CVE-2023-22482

9.1CRITICAL

Key Information:

Vendor: Argoproj
Status: Argo-cd
Vendor: CVE Published:; 26 January 2023

What is CVE-2023-22482?

Argo CD, a continuous delivery tool for Kubernetes, suffers from a vulnerability that allows improper authorization due to insufficient validation of audience claims in signed tokens from OIDC providers. While it correctly validates the token signature, it does not check whether the token's audience is intended for Argo CD. This oversight allows an attacker to utilize tokens meant for other services, granting them unauthorized access and permissions within Argo CD. Affected users should upgrade to newer versions, as patches have been released in versions 2.6.0-rc3, 2.5.6, 2.4.19, and 2.3.13 to mitigate this risk. No workarounds are available.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

argo-cd >= 1.8.2, < 2.3.13 < 1.8.2, 2.3.13

argo-cd >= 2.4.0-rc1, < 2.4.19 < 2.4.0-rc1, 2.4.19

argo-cd >= 2.5.0-rc1, < 2.5.6 < 2.5.0-rc1, 2.5.6

References

https://github.com/argoproj/argo-cd/security/advisories/G...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Jan 26, 2023
Vulnerability Reserved
Dec 29, 2022

JSON

Argoproj

What is CVE-2023-22482?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.