CVE-2022-31105
published 2022-07-12CVE-2022-31105: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.4.0 and prior to 2.2.11, 2.3.6, and 2.4.5 is…
PriorityP348critical9.6CVSS 3.1
AVNACLPRNUIRSCCHIHAH
EPSS
0.64%
45.8th percentile
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.4.0 and prior to 2.2.11, 2.3.6, and 2.4.5 is vulnerable to an improper certificate validation bug which could cause Argo CD to trust a malicious (or otherwise untrustworthy) OpenID Connect (OIDC) provider. A patch for this vulnerability has been released in Argo CD versions 2.4.5, 2.3.6, and 2.2.11. There are no complete workarounds, but a partial workaround is available. Those who use an external OIDC provider (not the bundled Dex instance), can mitigate the issue by setting the `oidc.config.rootCA` field in the `argocd-cm` ConfigMap. This mitigation only forces certificate validation when the API server handles login flows. It does not force certificate verification when verifying tokens on API calls.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| argoproj | argo-cd | — | — |
| argoproj | argo-cd | — | — |
| argoproj | argo-cd | — | — |
| argoproj | argo_cd | >= 2.3.0 < 2.3.6 | 2.3.6 |
| argoproj | argo_cd | >= 2.4.0 < 2.4.5 | 2.4.5 |
| github.com | argoproj_argo-cd | >= 0.4.0 < 2.2.11 | 2.2.11 |
| github.com | argoproj_argo-cd | >= 0.4.0 | — |
| github.com | argoproj_argo-cd | >= 2.3.0 < 2.3.6 | 2.3.6 |
| github.com | argoproj_argo-cd | >= 2.4.0 < 2.4.5 | 2.4.5 |
| github.com | argoproj_argo-cd_v2 | >= 0 < 2.2.11 | 2.2.11 |
| github.com | argoproj_argo-cd_v2 | >= 2.3.0 < 2.3.6 | 2.3.6 |
| github.com | argoproj_argo-cd_v2 | >= 2.4.0 < 2.4.5 | 2.4.5 |
| linuxfoundation | argo-cd | >= 0.4.0 < 2.2.11 | 2.2.11 |
CVSS provenance
nvdv3.19.6CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
nvdv2.05.1MEDIUMAV:N/AC:H/Au:N/C:P/I:P/A:P
vendor_redhat8.3HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
argo-cd: certificate verification is skipped for connections to OIDC providers
vendor_redhat·2022-07-13·CVSS 8.3
CVE-2022-31105 [HIGH] CWE-295 argo-cd: certificate verification is skipped for connections to OIDC providers
argo-cd: certificate verification is skipped for connections to OIDC providers
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.4.0 and prior to 2.2.11, 2.3.6, and 2.4.5 is vulnerable to an improper certificate validation bug which could cause Argo CD to trust a malicious (or otherwise untrustworthy) OpenID Connect (OIDC) provider. A patch for this vulnerability has been released in Argo CD versions 2.4.5, 2.3.6, and 2.2.11. There are no complete workarounds, but a partial workaround is available. Those who use an external OIDC provider (not the bundled Dex instance), can mitigate the issue by setting the `oidc.config.rootCA` field in the `argocd-cm` ConfigMap. This mitigation only forces certificate validation when the API server h
OSV
Argo CD certificate verification is skipped for connections to OIDC providers in github.com/argoproj/argo-cd
osv·2024-08-21
CVE-2022-31105 Argo CD certificate verification is skipped for connections to OIDC providers in github.com/argoproj/argo-cd
Argo CD certificate verification is skipped for connections to OIDC providers in github.com/argoproj/argo-cd
Argo CD certificate verification is skipped for connections to OIDC providers in github.com/argoproj/argo-cd
GHSA
Argo CD certificate verification is skipped for connections to OIDC providers
ghsa·2022-07-12
CVE-2022-31105 [HIGH] CWE-295 Argo CD certificate verification is skipped for connections to OIDC providers
Argo CD certificate verification is skipped for connections to OIDC providers
### Impact
All versions of Argo CD starting with v0.4.0 are vulnerable to an improper certificate validation bug which could cause Argo CD to trust a malicious (or otherwise untrustworthy) OIDC provider.
(Note: external OIDC provider support was added in v0.11.0. Before that version, the notes below apply only to the bundled Dex instance.)
You are impacted if 1) have SSO enabled and 2) insecure mode is _not_ enabled on the API server. In this case, certificate verification is skipped when connecting to your OIDC provider for the following tasks: verifying auth tokens on API requests and handling SSO login flows. If you are using the bundled Dex instance but have _not_ set the `--dex-server` flag on the API se
OSV
Argo CD certificate verification is skipped for connections to OIDC providers
osv·2022-07-12
CVE-2022-31105 [HIGH] Argo CD certificate verification is skipped for connections to OIDC providers
Argo CD certificate verification is skipped for connections to OIDC providers
### Impact
All versions of Argo CD starting with v0.4.0 are vulnerable to an improper certificate validation bug which could cause Argo CD to trust a malicious (or otherwise untrustworthy) OIDC provider.
(Note: external OIDC provider support was added in v0.11.0. Before that version, the notes below apply only to the bundled Dex instance.)
You are impacted if 1) have SSO enabled and 2) insecure mode is _not_ enabled on the API server. In this case, certificate verification is skipped when connecting to your OIDC provider for the following tasks: verifying auth tokens on API requests and handling SSO login flows. If you are using the bundled Dex instance but have _not_ set the `--dex-server` flag on the API se
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/argoproj/argo-cd/releases/tag/v2.3.6https://github.com/argoproj/argo-cd/releases/tag/v2.4.5https://github.com/argoproj/argo-cd/security/advisories/GHSA-7943-82jg-wmw5https://github.com/argoproj/argo-cd/releases/tag/v2.3.6https://github.com/argoproj/argo-cd/releases/tag/v2.4.5https://github.com/argoproj/argo-cd/security/advisories/GHSA-7943-82jg-wmw5
2022-07-12
Published