Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2023-22482 #1522

Closed
GoVulnBot opened this issue Jan 26, 2023 · 2 comments
Closed

x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2023-22482 #1522

GoVulnBot opened this issue Jan 26, 2023 · 2 comments
Assignees
@maceonthompson
Labels
duplicate

Comments

@GoVulnBot
Copy link

CVE-2023-22482 references github.com/argoproj/argo-cd, which may be a Go module.

Description:
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions of Argo CD starting with v1.8.2 and prior to 2.3.13, 2.4.19, 2.5.6, and 2.6.0-rc-3 are vulnerable to an improper authorization bug causing the API to accept certain invalid tokens. OIDC providers include an aud (audience) claim in signed tokens. The value of that claim specifies the intended audience(s) of the token (i.e. the service or services which are meant to accept the token). Argo CD does validate that the token was signed by Argo CD's configured OIDC provider. But Argo CD does not validate the audience claim, so it will accept tokens that are not intended for Argo CD. If Argo CD's configured OIDC provider also serves other audiences (for example, a file storage service), then Argo CD will accept a token intended for one of those other audiences. Argo CD will grant the user privileges based on the token's groups claim, even though those groups were not intended to be used by Argo CD. This bug also increases the impact of a stolen token. If an attacker steals a valid token for a different audience, they can use it to access Argo CD. A patch for this vulnerability has been released in versions 2.6.0-rc3, 2.5.6, 2.4.19, and 2.3.13. There are no workarounds.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/argoproj/argo-cd
    packages:
      - package: argo-cd
description: |
    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions of Argo CD starting with v1.8.2 and prior to 2.3.13, 2.4.19, 2.5.6, and 2.6.0-rc-3 are vulnerable to an improper authorization bug causing the API to accept certain invalid tokens. OIDC providers include an `aud` (audience) claim in signed tokens. The value of that claim specifies the intended audience(s) of the token (i.e. the service or services which are meant to accept the token). Argo CD _does_ validate that the token was signed by Argo CD's configured OIDC provider. But Argo CD _does not_ validate the audience claim, so it will accept tokens that are not intended for Argo CD. If Argo CD's configured OIDC provider also serves other audiences (for example, a file storage service), then Argo CD will accept a token intended for one of those other audiences. Argo CD will grant the user privileges based on the token's `groups` claim, even though those groups were not intended to be used by Argo CD. This bug also increases the impact of a stolen token. If an attacker steals a valid token for a different audience, they can use it to access Argo CD. A patch for this vulnerability has been released in versions 2.6.0-rc3, 2.5.6, 2.4.19, and 2.3.13. There are no workarounds.
cves:
  - CVE-2023-22482
references:
  - fix: https://github.com/argoproj/argo-cd/security/advisories/GHSA-q9hr-j4rf-8fjc
@maceonthompson maceonthompson self-assigned this Feb 6, 2023
@maceonthompson maceonthompson added excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable. and removed excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. labels Feb 6, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/466475 mentions this issue: data/excluded: batch add GO-2023-1527, GO-2023-1524, GO-2023-1516, GO-2023-1514, GO-2023-1513, GO-2023-1511, GO-2023-1523, GO-2023-1522, GO-2023-1520, GO-2023-1512

@maceonthompson maceonthompson added duplicate and removed excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable. labels Feb 8, 2023
@maceonthompson
Copy link

duplicate of #1520

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@maceonthompson maceonthompson

Labels
duplicate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gopherbot @maceonthompson @GoVulnBot