CVE-2022-31105

Name of the Vulnerable Software and Affected Versions Argo CD versions 0.4.0 through 2.2.10 Argo CD versions 2.3.0 through 2.3.5 Argo CD versions 2.4.0 through 2.4.4

Description The issue is related to an improper certificate validation bug in Argo CD, which could cause it to trust a malicious OpenID Connect (OIDC) provider. This bug affects connections to OIDC providers and can be exploited by an attacker to conduct spoofing attacks. The vulnerability is related to the skipping of certificate verification when communicating with the OIDC provider, which opens Argo CD to various risks, such as a machine-in-the-middle attack.

Recommendations For Argo CD versions 0.4.0 through 2.2.10, update to version 2.2.11 or later. For Argo CD versions 2.3.0 through 2.3.5, update to version 2.3.6 or later. For Argo CD versions 2.4.0 through 2.4.4, update to version 2.4.5 or later. As a temporary workaround for users of an external OIDC provider, consider setting the oidc.config.rootCA field in the argocd-cm ConfigMap to force certificate validation when the API server handles login flows.