cbcvebase.
CVE-2022-29165
published 2022-05-20

CVE-2022-29165: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A critical vulnerability has been discovered in Argo CD starting with version 1.4.0…

PriorityP271critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
1.86%
76.5th percentile
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A critical vulnerability has been discovered in Argo CD starting with version 1.4.0 and prior to versions 2.1.15, 2.2.9, and 2.3.4 which would allow unauthenticated users to impersonate as any Argo CD user or role, including the `admin` user, by sending a specifically crafted JSON Web Token (JWT) along with the request. In order for this vulnerability to be exploited, anonymous access to the Argo CD instance must have been enabled. In a default Argo CD installation, anonymous access is disabled. The vulnerability can be exploited to impersonate as any user or role, including the built-in `admin` account regardless of whether it is enabled or disabled. Also, the attacker does not need an account on the Argo CD instance in order to exploit this. If anonymous access to the instance is enabled, an attacker can escalate their privileges, effectively allowing them to gain the same privileges on the cluster as the Argo CD instance, which is cluster admin in a default installation. This will allow the attacker to create, manipulate and delete any resource on the cluster. They may also exfiltrate data by deploying malicious workloads with elevated privileges, thus bypassing any redaction of sensitive data otherwise enforced by the Argo CD API. A patch for this vulnerability has been released in Argo CD versions 2.3.4, 2.2.9, and 2.1.15. As a workaround, one may disable anonymous access, but upgrading to a patched version is preferable.

Affected

10 ranges
VendorProductVersion rangeFixed in
argoprojargo-cd
argoprojargo-cd
argoprojargo-cd
argoprojargo_cd>= 1.4.0 < 2.1.152.1.15
argoprojargo_cd>= 2.2.0 < 2.2.92.2.9
argoprojargo_cd>= 2.3.0 < 2.3.42.3.4
github.comargoproj_argo-cd>= 0 < 2.1.152.1.15
github.comargoproj_argo-cd_v2>= 0 < 2.1.152.1.15
github.comargoproj_argo-cd_v2>= 2.2.0 < 2.2.92.2.9
github.comargoproj_argo-cd_v2>= 2.3.0 < 2.3.42.3.4

Detection & IOCsextracted from sources · hover to see the quote

  • Exploit requires anonymous access to be enabled on the Argo CD instance; detect by auditing Argo CD configuration for anonymous access being enabled, combined with inbound requests carrying a crafted JWT token
  • Unauthenticated requests bearing a JWT token should be treated as suspicious when anonymous access is enabled — Argo CD blindly trusts JWT claims in this configuration
  • Monitor for privilege escalation indicators: unexpected creation, modification, or deletion of cluster resources originating from the Argo CD service account, which may indicate exploitation
  • Watch for deployment of unexpected or unauthorized workloads with elevated privileges via Argo CD, which may indicate post-exploitation data exfiltration activity
  • Affected versions are Argo CD 1.4.0 through 2.1.14, 2.2.0–2.2.8, and 2.3.0–2.3.3; flag any of these versions in your environment as unpatched and at risk
  • ·Exploitation is ONLY possible when anonymous access is explicitly enabled; default Argo CD installations have it disabled and are not directly vulnerable
  • ·Red Hat GitOps operator-installed Argo CD instances have anonymous mode disabled by default, reducing exposure in that specific deployment
  • ·The attacker does not need a pre-existing account on the Argo CD instance; any unauthenticated user can craft the malicious JWT if anonymous access is on
  • ·The admin account can be impersonated regardless of whether it is enabled or disabled on the instance

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat10.0CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.