CVE-2022-29165
published 2022-05-20CVE-2022-29165: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A critical vulnerability has been discovered in Argo CD starting with version 1.4.0…
PriorityP271critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
1.86%
76.5th percentile
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A critical vulnerability has been discovered in Argo CD starting with version 1.4.0 and prior to versions 2.1.15, 2.2.9, and 2.3.4 which would allow unauthenticated users to impersonate as any Argo CD user or role, including the `admin` user, by sending a specifically crafted JSON Web Token (JWT) along with the request. In order for this vulnerability to be exploited, anonymous access to the Argo CD instance must have been enabled. In a default Argo CD installation, anonymous access is disabled. The vulnerability can be exploited to impersonate as any user or role, including the built-in `admin` account regardless of whether it is enabled or disabled. Also, the attacker does not need an account on the Argo CD instance in order to exploit this. If anonymous access to the instance is enabled, an attacker can escalate their privileges, effectively allowing them to gain the same privileges on the cluster as the Argo CD instance, which is cluster admin in a default installation. This will allow the attacker to create, manipulate and delete any resource on the cluster. They may also exfiltrate data by deploying malicious workloads with elevated privileges, thus bypassing any redaction of sensitive data otherwise enforced by the Argo CD API. A patch for this vulnerability has been released in Argo CD versions 2.3.4, 2.2.9, and 2.1.15. As a workaround, one may disable anonymous access, but upgrading to a patched version is preferable.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| argoproj | argo-cd | — | — |
| argoproj | argo-cd | — | — |
| argoproj | argo-cd | — | — |
| argoproj | argo_cd | >= 1.4.0 < 2.1.15 | 2.1.15 |
| argoproj | argo_cd | >= 2.2.0 < 2.2.9 | 2.2.9 |
| argoproj | argo_cd | >= 2.3.0 < 2.3.4 | 2.3.4 |
| github.com | argoproj_argo-cd | >= 0 < 2.1.15 | 2.1.15 |
| github.com | argoproj_argo-cd_v2 | >= 0 < 2.1.15 | 2.1.15 |
| github.com | argoproj_argo-cd_v2 | >= 2.2.0 < 2.2.9 | 2.2.9 |
| github.com | argoproj_argo-cd_v2 | >= 2.3.0 < 2.3.4 | 2.3.4 |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit requires anonymous access to be enabled on the Argo CD instance; detect by auditing Argo CD configuration for anonymous access being enabled, combined with inbound requests carrying a crafted JWT token ↗
- →Unauthenticated requests bearing a JWT token should be treated as suspicious when anonymous access is enabled — Argo CD blindly trusts JWT claims in this configuration ↗
- →Monitor for privilege escalation indicators: unexpected creation, modification, or deletion of cluster resources originating from the Argo CD service account, which may indicate exploitation ↗
- →Watch for deployment of unexpected or unauthorized workloads with elevated privileges via Argo CD, which may indicate post-exploitation data exfiltration activity ↗
- →Affected versions are Argo CD 1.4.0 through 2.1.14, 2.2.0–2.2.8, and 2.3.0–2.3.3; flag any of these versions in your environment as unpatched and at risk ↗
- ·Exploitation is ONLY possible when anonymous access is explicitly enabled; default Argo CD installations have it disabled and are not directly vulnerable ↗
- ·Red Hat GitOps operator-installed Argo CD instances have anonymous mode disabled by default, reducing exposure in that specific deployment ↗
- ·The attacker does not need a pre-existing account on the Argo CD instance; any unauthenticated user can craft the malicious JWT if anonymous access is on ↗
- ·The admin account can be impersonated regardless of whether it is enabled or disabled on the instance ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat10.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Argo CD will blindly trust JWT claims if anonymous access is enabled in github.com/argoproj/argo-cd
osv·2024-08-21
CVE-2022-29165 Argo CD will blindly trust JWT claims if anonymous access is enabled in github.com/argoproj/argo-cd
Argo CD will blindly trust JWT claims if anonymous access is enabled in github.com/argoproj/argo-cd
Argo CD will blindly trust JWT claims if anonymous access is enabled in github.com/argoproj/argo-cd
GHSA
Argo CD will blindly trust JWT claims if anonymous access is enabled
ghsa·2022-05-24
CVE-2022-29165 [CRITICAL] CWE-200 Argo CD will blindly trust JWT claims if anonymous access is enabled
Argo CD will blindly trust JWT claims if anonymous access is enabled
### Impact
A critical vulnerability has been discovered in Argo CD which would allow unauthenticated users to impersonate as any Argo CD user or role, including the `admin` user, by sending a specifically crafted JSON Web Token (JWT) along with the request. In order for this vulnerability to be exploited, [anonymous access](https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/#anonymous-access) to the Argo CD instance must have been enabled.
In a default Argo CD installation, anonymous access is disabled. To find out if anonymous access is enabled in your instance, please see the *Workarounds* section of this advisory below.
The vulnerability can be exploited to impersonate as any user or role, including the
OSV
Argo CD will blindly trust JWT claims if anonymous access is enabled
osv·2022-05-24
CVE-2022-29165 [CRITICAL] Argo CD will blindly trust JWT claims if anonymous access is enabled
Argo CD will blindly trust JWT claims if anonymous access is enabled
### Impact
A critical vulnerability has been discovered in Argo CD which would allow unauthenticated users to impersonate as any Argo CD user or role, including the `admin` user, by sending a specifically crafted JSON Web Token (JWT) along with the request. In order for this vulnerability to be exploited, [anonymous access](https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/#anonymous-access) to the Argo CD instance must have been enabled.
In a default Argo CD installation, anonymous access is disabled. To find out if anonymous access is enabled in your instance, please see the *Workarounds* section of this advisory below.
The vulnerability can be exploited to impersonate as any user or role, including the
Red Hat
argocd: ArgoCD will blindly trust JWT claims if anonymous access is enabled
vendor_redhat·2022-05-18·CVSS 10.0
CVE-2022-29165 [CRITICAL] CWE-551 argocd: ArgoCD will blindly trust JWT claims if anonymous access is enabled
argocd: ArgoCD will blindly trust JWT claims if anonymous access is enabled
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A critical vulnerability has been discovered in Argo CD starting with version 1.4.0 and prior to versions 2.1.15, 2.2.9, and 2.3.4 which would allow unauthenticated users to impersonate as any Argo CD user or role, including the `admin` user, by sending a specifically crafted JSON Web Token (JWT) along with the request. In order for this vulnerability to be exploited, anonymous access to the Argo CD instance must have been enabled. In a default Argo CD installation, anonymous access is disabled. The vulnerability can be exploited to impersonate as any user or role, including the built-in `admin` account regardless of whether it is enabled or
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/argoproj/argo-cd/releases/tag/v2.1.15https://github.com/argoproj/argo-cd/releases/tag/v2.2.9https://github.com/argoproj/argo-cd/releases/tag/v2.3.4https://github.com/argoproj/argo-cd/security/advisories/GHSA-r642-gv9p-2wjjhttps://github.com/argoproj/argo-cd/releases/tag/v2.1.15https://github.com/argoproj/argo-cd/releases/tag/v2.2.9https://github.com/argoproj/argo-cd/releases/tag/v2.3.4https://github.com/argoproj/argo-cd/security/advisories/GHSA-r642-gv9p-2wjj
2022-05-20
Published