CVE-2022-31034

Name of the Vulnerable Software and Affected Versions Argo CD versions 0.11.0 through 2.4.0 Argo CD versions 2.1.0 through 2.1.15 Argo CD versions 2.2.0 through 2.2.9 Argo CD versions 2.3.0 through 2.3.4

Description The issue is related to the use of insufficiently random values in parameters in Oauth2/OIDC login flows, making it possible for an attacker to gain admin access to Argo CD. The attacks are difficult to accomplish but can have a high impact. The vulnerabilities are due to the use of a relatively-predictable seed in a non-cryptographically-secure pseudo-random number generator, and in some cases, using too short a value made the entropy even less sufficient. The vulnerable parameters include the state parameter, code verifier parameter, and nonce parameter.

Recommendations For Argo CD versions 0.11.0 through 2.1.15, update to version 2.1.16 or later. For Argo CD versions 2.2.0 through 2.2.9, update to version 2.2.10 or later. For Argo CD versions 2.3.0 through 2.3.4, update to version 2.3.5 or later. For Argo CD versions 2.4.0 and earlier, update to version 2.4.1 or later. As a temporary workaround, consider restricting access to the Oauth2/OIDC login flows until a patch is applied.