CVE-2022-29165

Name of the Vulnerable Software and Affected Versions Argo CD versions 1.4.0 through 2.1.14 Argo CD versions 2.2.0 through 2.2.8 Argo CD versions 2.3.0 through 2.3.3

Description A critical issue has been discovered in Argo CD that allows unauthenticated users to impersonate as any Argo CD user or role, including the admin user, by sending a specifically crafted JSON Web Token (JWT) along with the request. This can be exploited if anonymous access to the Argo CD instance is enabled. In a default installation, anonymous access is disabled. The issue can be exploited to escalate privileges, allowing an attacker to gain cluster admin privileges, create, manipulate, and delete resources, and exfiltrate data by deploying malicious workloads with elevated privileges.

Recommendations For Argo CD versions 1.4.0 through 2.1.14, upgrade to version 2.1.15 or later. For Argo CD versions 2.2.0 through 2.2.8, upgrade to version 2.2.9 or later. For Argo CD versions 2.3.0 through 2.3.3, upgrade to version 2.3.4 or later. As a temporary workaround, consider disabling anonymous access to the Argo CD instance by patching the argocd-cm ConfigMap to set users.anonymous.enabled to "false" or removing this field.