gsd-2022-31105
Vulnerability from gsd
Modified
2023-12-13 01:19
Details
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.4.0 and prior to 2.2.11, 2.3.6, and 2.4.5 is vulnerable to an improper certificate validation bug which could cause Argo CD to trust a malicious (or otherwise untrustworthy) OpenID Connect (OIDC) provider. A patch for this vulnerability has been released in Argo CD versions 2.4.5, 2.3.6, and 2.2.11. There are no complete workarounds, but a partial workaround is available. Those who use an external OIDC provider (not the bundled Dex instance), can mitigate the issue by setting the `oidc.config.rootCA` field in the `argocd-cm` ConfigMap. This mitigation only forces certificate validation when the API server handles login flows. It does not force certificate verification when verifying tokens on API calls.
Aliases
Aliases



{
  "GSD": {
    "alias": "CVE-2022-31105",
    "description": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.4.0 and prior to 2.2.11, 2.3.6, and 2.4.5 is vulnerable to an improper certificate validation bug which could cause Argo CD to trust a malicious (or otherwise untrustworthy) OpenID Connect (OIDC) provider. A patch for this vulnerability has been released in Argo CD versions 2.4.5, 2.3.6, and 2.2.11. There are no complete workarounds, but a partial workaround is available. Those who use an external OIDC provider (not the bundled Dex instance), can mitigate the issue by setting the `oidc.config.rootCA` field in the `argocd-cm` ConfigMap. This mitigation only forces certificate validation when the API server handles login flows. It does not force certificate verification when verifying tokens on API calls.",
    "id": "GSD-2022-31105"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-31105"
      ],
      "details": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.4.0 and prior to 2.2.11, 2.3.6, and 2.4.5 is vulnerable to an improper certificate validation bug which could cause Argo CD to trust a malicious (or otherwise untrustworthy) OpenID Connect (OIDC) provider. A patch for this vulnerability has been released in Argo CD versions 2.4.5, 2.3.6, and 2.2.11. There are no complete workarounds, but a partial workaround is available. Those who use an external OIDC provider (not the bundled Dex instance), can mitigate the issue by setting the `oidc.config.rootCA` field in the `argocd-cm` ConfigMap. This mitigation only forces certificate validation when the API server handles login flows. It does not force certificate verification when verifying tokens on API calls.",
      "id": "GSD-2022-31105",
      "modified": "2023-12-13T01:19:17.177921Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-31105",
        "STATE": "PUBLIC",
        "TITLE": "Argo CD\u0027s certificate verification is skipped for connections to OIDC providers"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "argo-cd",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003e= 0.4.0, \u003c 2.2.11"
                        },
                        {
                          "version_value": "\u003e= 2.3.0, \u003c 2.3.6"
                        },
                        {
                          "version_value": "\u003e= 2.4.0, \u003c 2.4.5"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "argoproj"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.4.0 and prior to 2.2.11, 2.3.6, and 2.4.5 is vulnerable to an improper certificate validation bug which could cause Argo CD to trust a malicious (or otherwise untrustworthy) OpenID Connect (OIDC) provider. A patch for this vulnerability has been released in Argo CD versions 2.4.5, 2.3.6, and 2.2.11. There are no complete workarounds, but a partial workaround is available. Those who use an external OIDC provider (not the bundled Dex instance), can mitigate the issue by setting the `oidc.config.rootCA` field in the `argocd-cm` ConfigMap. This mitigation only forces certificate validation when the API server handles login flows. It does not force certificate verification when verifying tokens on API calls."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.3,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-295: Improper Certificate Validation"
              }
            ]
          },
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-599: Missing Validation of OpenSSL Certificate"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-7943-82jg-wmw5",
            "refsource": "CONFIRM",
            "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-7943-82jg-wmw5"
          },
          {
            "name": "https://github.com/argoproj/argo-cd/releases/tag/v2.3.6",
            "refsource": "MISC",
            "url": "https://github.com/argoproj/argo-cd/releases/tag/v2.3.6"
          },
          {
            "name": "https://github.com/argoproj/argo-cd/releases/tag/v2.4.5",
            "refsource": "MISC",
            "url": "https://github.com/argoproj/argo-cd/releases/tag/v2.4.5"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-7943-82jg-wmw5",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=v0.4.0 \u003cv2.2.11 || \u003e=v2.3.0 \u003cv2.3.6 || \u003e=v2.4.0 \u003cv2.4.5",
          "affected_versions": "All versions starting from 0.4.0 before 2.2.11, all versions starting from 2.3.0 before 2.3.6, all versions starting from 2.4.0 before 2.4.5",
          "cvss_v2": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-295",
            "CWE-937"
          ],
          "date": "2022-07-21",
          "description": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.4.0 and prior to 2.2.11, 2.3.6, and 2.4.5 is vulnerable to an improper certificate validation bug which could cause Argo CD to trust a malicious (or otherwise untrustworthy) OpenID Connect (OIDC) provider. A patch for this vulnerability has been released in Argo CD versions 2.4.5, 2.3.6, and 2.2.11. There are no complete workarounds, but a partial workaround is available. Those who use an external OIDC provider (not the bundled Dex instance), can mitigate the issue by setting the `oidc.config.rootCA` field in the `argocd-cm` ConfigMap. This mitigation only forces certificate validation when the API server handles login flows. It does not force certificate verification when verifying tokens on API calls.",
          "fixed_versions": [
            "v2.2.11",
            "v2.3.6",
            "v2.4.5"
          ],
          "identifier": "CVE-2022-31105",
          "identifiers": [
            "GHSA-7943-82jg-wmw5",
            "CVE-2022-31105"
          ],
          "not_impacted": "All versions before 0.4.0, all versions starting from 2.2.11 before 2.3.0, all versions starting from 2.3.6 before 2.4.0, all versions starting from 2.4.5",
          "package_slug": "go/github.com/argoproj/argo-cd",
          "pubdate": "2022-07-12",
          "solution": "Upgrade to versions 2.2.11, 2.3.6, 2.4.5 or above.",
          "title": "Improper Certificate Validation",
          "urls": [
            "https://github.com/argoproj/argo-cd/security/advisories/GHSA-7943-82jg-wmw5",
            "https://nvd.nist.gov/vuln/detail/CVE-2022-31105",
            "https://github.com/argoproj/argo-cd/releases/tag/v2.3.6",
            "https://github.com/argoproj/argo-cd/releases/tag/v2.4.5",
            "https://github.com/advisories/GHSA-7943-82jg-wmw5"
          ],
          "uuid": "9fd2375f-a134-4bb1-89ae-e70370b2ea6f",
          "versions": [
            {
              "commit": {
                "sha": "9c0daebfe088a1ac5145417df14d11769f266e82",
                "tags": [
                  "v0.4.0"
                ],
                "timestamp": "20180517074150"
              },
              "number": "v0.4.0"
            },
            {
              "commit": {
                "sha": "fe427802293b090f43f91f5839393174df6c3b3a",
                "tags": [
                  "v2.3.0"
                ],
                "timestamp": "20220306061859"
              },
              "number": "v2.3.0"
            },
            {
              "commit": {
                "sha": "91aefabc5b213a258ddcfe04b8e69bb4a2dd2566",
                "tags": [
                  "v2.4.0"
                ],
                "timestamp": "20220610171343"
              },
              "number": "v2.4.0"
            },
            {
              "commit": {
                "sha": "aa3f3749f8d5f174d2e4cdd2cf14cf6f9ef55143",
                "tags": [
                  "v2.2.11"
                ],
                "timestamp": "20220712160432"
              },
              "number": "v2.2.11"
            },
            {
              "commit": {
                "sha": "0232073ccffa0348f633a8a1fce0b55c3a56a688",
                "tags": [
                  "v2.4.5"
                ],
                "timestamp": "20220712160804"
              },
              "number": "v2.4.5"
            },
            {
              "commit": {
                "sha": "0badce7840e3fdb9f6d94e13488bec358fd0472d",
                "tags": [
                  "v2.3.6"
                ],
                "timestamp": "20220712163110"
              },
              "number": "v2.3.6"
            }
          ]
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:linuxfoundation:argo-cd:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.3.6",
                "versionStartIncluding": "2.3.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:linuxfoundation:argo-cd:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.2.11",
                "versionStartIncluding": "0.4.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:linuxfoundation:argo-cd:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.4.5",
                "versionStartIncluding": "2.4.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-31105"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.4.0 and prior to 2.2.11, 2.3.6, and 2.4.5 is vulnerable to an improper certificate validation bug which could cause Argo CD to trust a malicious (or otherwise untrustworthy) OpenID Connect (OIDC) provider. A patch for this vulnerability has been released in Argo CD versions 2.4.5, 2.3.6, and 2.2.11. There are no complete workarounds, but a partial workaround is available. Those who use an external OIDC provider (not the bundled Dex instance), can mitigate the issue by setting the `oidc.config.rootCA` field in the `argocd-cm` ConfigMap. This mitigation only forces certificate validation when the API server handles login flows. It does not force certificate verification when verifying tokens on API calls."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-295"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-7943-82jg-wmw5",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-7943-82jg-wmw5"
            },
            {
              "name": "https://github.com/argoproj/argo-cd/releases/tag/v2.3.6",
              "refsource": "MISC",
              "tags": [
                "Release Notes",
                "Third Party Advisory"
              ],
              "url": "https://github.com/argoproj/argo-cd/releases/tag/v2.3.6"
            },
            {
              "name": "https://github.com/argoproj/argo-cd/releases/tag/v2.4.5",
              "refsource": "MISC",
              "tags": [
                "Release Notes",
                "Third Party Advisory"
              ],
              "url": "https://github.com/argoproj/argo-cd/releases/tag/v2.4.5"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.1,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 4.9,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.6,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 6.0
        }
      },
      "lastModifiedDate": "2022-07-20T15:45Z",
      "publishedDate": "2022-07-12T22:15Z"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.