CVE-2023-22482

Name of the Vulnerable Software and Affected Versions Argo CD versions 1.8.2 through 2.3.12 Argo CD versions 2.4.0 through 2.4.18 Argo CD versions 2.5.0 through 2.5.5 Argo CD versions 2.6.0-rc0 through 2.6.0-rc2

Description The issue is related to an improper authorization bug in Argo CD, causing the API to accept certain invalid tokens. OIDC providers include an aud (audience) claim in signed tokens, specifying the intended audience of the token. However, Argo CD does not validate the audience claim, allowing it to accept tokens not intended for Argo CD. If the configured OIDC provider serves other audiences, Argo CD will accept a token intended for one of those other audiences and grant user privileges based on the token's groups claim. This bug increases the impact of a stolen token, as an attacker can use a valid token for a different audience to access Argo CD.

Recommendations For versions 1.8.2 through 2.3.12, update to version 2.3.13 or later. For versions 2.4.0 through 2.4.18, update to version 2.4.19 or later. For versions 2.5.0 through 2.5.5, update to version 2.5.6 or later. For versions 2.6.0-rc0 through 2.6.0-rc2, update to version 2.6.0-rc3 or later. As a temporary workaround, consider configuring the allowedAudiences option in the OIDC config block to specify the intended audiences for the token.