{
  "id": "CVE-2023-22482",
  "sourceIdentifier": "security-advisories@github.com",
  "published": "2023-01-26T21:18:12.213",
  "lastModified": "2023-11-07T04:06:59.863",
  "vulnStatus": "Modified",
  "descriptions": [
    {
      "lang": "en",
      "value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions of Argo CD starting with v1.8.2 and prior to 2.3.13, 2.4.19, 2.5.6, and 2.6.0-rc-3  are vulnerable to an improper authorization bug causing the API to accept certain invalid tokens. OIDC providers include an `aud` (audience) claim in signed tokens. The value of that claim specifies the intended audience(s) of the token (i.e. the service or services which are meant to accept the token). Argo CD _does_ validate that the token was signed by Argo CD's configured OIDC provider. But Argo CD _does not_ validate the audience claim, so it will accept tokens that are not intended for Argo CD. If Argo CD's configured OIDC provider also serves other audiences (for example, a file storage service), then Argo CD will accept a token intended for one of those other audiences. Argo CD will grant the user privileges based on the token's `groups` claim, even though those groups were not intended to be used by Argo CD. This bug also increases the impact of a stolen token. If an attacker steals a valid token for a different audience, they can use it to access Argo CD. A patch for this vulnerability has been released in versions 2.6.0-rc3, 2.5.6, 2.4.19, and 2.3.13. There are no workarounds."
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "LOW",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9
      },
      {
        "source": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "type": "Secondary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
          "attackVector": "NETWORK",
          "attackComplexity": "HIGH",
          "privilegesRequired": "NONE",
          "userInteraction": "NONE",
          "scope": "CHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "availabilityImpact": "HIGH",
          "baseScore": 9.0,
          "baseSeverity": "CRITICAL"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 6.0
      }
    ]
  },
  "weaknesses": [
    {
      "source": "a0819718-46f1-4df5-94e2-005712e83aaa",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:linuxfoundation:argo-cd:*:*:*:*:*:*:*:*",
              "versionStartIncluding": "1.8.2",
              "versionEndExcluding": "2.3.14",
              "matchCriteriaId": "73B64B61-8B94-41AF-A11B-21B5346CB31A"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:linuxfoundation:argo-cd:*:*:*:*:*:*:*:*",
              "versionStartIncluding": "2.4.0",
              "versionEndExcluding": "2.4.20",
              "matchCriteriaId": "D01FE7C4-7034-4158-8230-97930C57BC29"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:linuxfoundation:argo-cd:*:*:*:*:*:*:*:*",
              "versionStartIncluding": "2.5.0",
              "versionEndExcluding": "2.5.8",
              "matchCriteriaId": "D83FDB3B-9C05-4204-93DF-72DE7167E9B9"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:linuxfoundation:argo-cd:2.6.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "B38E75CD-1E9C-40DA-BC4B-EE90ADD252FA"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:linuxfoundation:argo-cd:2.6.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "B8DD83D1-0357-4613-A003-DF7FD76298B8"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:linuxfoundation:argo-cd:2.6.0:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "B9DE8032-2C96-424A-A328-E82A142524B8"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:linuxfoundation:argo-cd:2.6.0:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "3B00F40B-782B-447B-B158-D534F06B1A9B"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-q9hr-j4rf-8fjc",
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ]
    }
  ]
}