CVE-2023-22482 – github.com/argoproj/argo-cd

Package

Manager: go
Name: github.com/argoproj/argo-cd
Vulnerable Version: >=1.8.2 <2.3.14 || >=2.4.0 <2.4.20 || >=2.5.0 <2.5.8 || >=2.6.0-rc1 <2.6.0-rc5

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00249 pctl0.48055

Details

JWT audience claim is not verified ### Impact All versions of Argo CD starting with v1.8.2 are vulnerable to an improper authorization bug causing the API to accept certain invalid tokens. OIDC providers include an `aud` (audience) claim in signed tokens. The value of that claim specifies the intended audience(s) of the token (i.e. the service or services which are meant to accept the token). Argo CD _does_ validate that the token was signed by Argo CD's configured OIDC provider. But Argo CD _does not_ validate the audience claim, so it will accept tokens that are not intended for Argo CD. If Argo CD's configured OIDC provider also serves other audiences (for example, a file storage service), then Argo CD will accept a token intended for one of those other audiences. Argo CD will grant the user privileges based on the token's `groups` claim, even though those groups were not intended to be used by Argo CD. This bug also increases the blast radius of a stolen token. If an attacker steals a valid token for a different audience, they can use it to access Argo CD. ### Patches A patch for this vulnerability has been released in the following Argo CD versions: * v2.6.0-rc5 * v2.5.8 * v2.4.20 * v2.3.14 The patch introduces a new `allowedAudiences` to the OIDC config block. By default, the client ID is the only allowed audience. Users who _want_ Argo CD to accept tokens intended for a different audience may use `allowedAudiences` to specify those audiences. ```yaml apiVersion: v1 kind: ConfigMap metadata: name: argocd-cm data: oidc.config: | name: Example allowedAudiences: - audience-1 - audience-2 - argocd-client-id # If `allowedAudiences` is non-empty, Argo CD's client ID must be explicitly added if you want to allow it. `` Even though [the OIDC spec requires the audience claim](https://openid.net/specs/openid-connect-core-1_0.html#IDToken), some tokens may not include it. To avoid a breaking change in a patch release, versions < 2.6.0 of Argo CD will skip the audience claim check for tokens that have no audience. In versions >= 2.6.0, Argo CD will reject all tokens which do not have an audience claim. Users can opt into the old behavior by setting an option: ```yaml apiVersion: v1 kind: ConfigMap metadata: name: argocd-cm data: oidc.config: | name: Example skipAudienceCheckWhenTokenHasNoAudience: true ``` ### Workarounds There is no workaround besides upgrading. ### Credits The Argo CD team would like to express their gratitude to Vladimir Pouzanov (@farcaller) from Indeed, who discovered the issue, reported it confidentially according to our [guidelines](https://github.com/argoproj/argo-cd/blob/master/SECURITY.md#reporting-a-vulnerability), and actively worked with the project to provide a remedy. Many thanks to Vladimir! ### References * [How to configure OIDC in Argo CD](https://argo-cd.readthedocs.io/en/latest/operator-manual/user-management/#existing-oidc-provider) * [OIDC spec section discussing the audience claim](https://openid.net/specs/openid-connect-core-1_0.html#IDToken) * [JWT spec section discussing the audience claim](https://www.rfc-editor.org/rfc/rfc7519#section-4.1.3) ### For more information * Open an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://github.com/argoproj/argo-cd/discussions) * Join us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd

Metadata

Created: 2023-01-25T22:02:52Z
Modified: 2023-02-07T21:21:41Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-q9hr-j4rf-8fjc/GHSA-q9hr-j4rf-8fjc.json
CWE IDs: ["CWE-863"]
Alternative ID: GHSA-q9hr-j4rf-8fjc
Finding: F006
Auto approve: 1