CVSS: 9.1EPSS: 0%CPEs: 4EXPL: 0CVE-2023-23947 – Argo CD users with any cluster secret update access may update out-of-bounds cluster secrets
https://notcve.org/view.php?id=CVE-2023-23947
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All Argo CD versions starting with 2.3.0-rc1 and prior to 2.3.17, 2.4.23 2.5.11, and 2.6.2 are vulnerable to an improper authorization bug which allows users who have the ability to update at least one cluster secret to update any cluster secret. The attacker could use this access to escalate privileges (potentially controlling Kubernetes resources) or to break Argo CD functionality (by preventing connections to external clusters). A patch for this vulnerability has been released in Argo CD versions 2.6.2, 2.5.11, 2.4.23, and 2.3.17. Two workarounds are available. • https://github.com/argoproj/argo-cd/commit/fbb0b99b1ac3361b253052bd30259fa43a520945 https://github.com/argoproj/argo-cd/security/advisories/GHSA-3jfq-742w-xg8j https://access.redhat.com/security/cve/CVE-2023-23947 https://bugzilla.redhat.com/show_bug.cgi?id=2167819 • CWE-863: Incorrect Authorization •
CVSS: 8.5EPSS: 0%CPEs: 5EXPL: 0CVE-2023-22736 – argo-cd Controller reconciles apps outside configured namespaces when sharding is enabled
https://notcve.org/view.php?id=CVE-2023-22736
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions starting with 2.5.0-rc1 and above, prior to 2.5.8, and version 2.6.0-rc4, are vulnerable to an authorization bypass bug which allows a malicious Argo CD user to deploy Applications outside the configured allowed namespaces. Reconciled Application namespaces are specified as a comma-delimited list of glob patterns. When sharding is enabled on the Application controller, it does not enforce that list of patterns when reconciling Applications. For example, if Application namespaces are configured to be argocd-*, the Application controller may reconcile an Application installed in a namespace called other, even though it does not start with argocd-. • https://github.com/argoproj/argo-cd/security/advisories/GHSA-6p4m-hw2h-6gmw https://access.redhat.com/security/cve/CVE-2023-22736 https://bugzilla.redhat.com/show_bug.cgi?id=2162517 • CWE-862: Missing Authorization •
CVSS: 9.0EPSS: 0%CPEs: 7EXPL: 0CVE-2023-22482 – JWT audience claim is not verified
https://notcve.org/view.php?id=CVE-2023-22482
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions of Argo CD starting with v1.8.2 and prior to 2.3.13, 2.4.19, 2.5.6, and 2.6.0-rc-3 are vulnerable to an improper authorization bug causing the API to accept certain invalid tokens. OIDC providers include an `aud` (audience) claim in signed tokens. The value of that claim specifies the intended audience(s) of the token (i.e. the service or services which are meant to accept the token). Argo CD _does_ validate that the token was signed by Argo CD's configured OIDC provider. • https://github.com/argoproj/argo-cd/security/advisories/GHSA-q9hr-j4rf-8fjc https://access.redhat.com/security/cve/CVE-2023-22482 https://bugzilla.redhat.com/show_bug.cgi?id=2160492 • CWE-863: Incorrect Authorization •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2022-31102 – Cross-site Scripting for Argo CD single sign on users
https://notcve.org/view.php?id=CVE-2022-31102
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with 2.3.0 and prior to 2.3.6 and 2.4.5 is vulnerable to a cross-site scripting (XSS) bug which could allow an attacker to inject arbitrary JavaScript in the `/auth/callback` page in a victim's browser. This vulnerability only affects Argo CD instances which have single sign on (SSO) enabled. The exploit also assumes the attacker has 1) access to the API server's encryption key, 2) a method to add a cookie to the victim's browser, and 3) the ability to convince the victim to visit a malicious `/auth/callback` link. The vulnerability is classified as low severity because access to the API server's encryption key already grants a high level of access. • https://github.com/argoproj/argo-cd/releases/tag/v2.3.6 https://github.com/argoproj/argo-cd/releases/tag/v2.4.5 https://github.com/argoproj/argo-cd/security/advisories/GHSA-pmjg-52h9-72qv • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.6EPSS: 0%CPEs: 3EXPL: 0CVE-2022-31105 – Argo CD's certificate verification is skipped for connections to OIDC providers
https://notcve.org/view.php?id=CVE-2022-31105
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.4.0 and prior to 2.2.11, 2.3.6, and 2.4.5 is vulnerable to an improper certificate validation bug which could cause Argo CD to trust a malicious (or otherwise untrustworthy) OpenID Connect (OIDC) provider. A patch for this vulnerability has been released in Argo CD versions 2.4.5, 2.3.6, and 2.2.11. There are no complete workarounds, but a partial workaround is available. Those who use an external OIDC provider (not the bundled Dex instance), can mitigate the issue by setting the `oidc.config.rootCA` field in the `argocd-cm` ConfigMap. • https://github.com/argoproj/argo-cd/releases/tag/v2.3.6 https://github.com/argoproj/argo-cd/releases/tag/v2.4.5 https://github.com/argoproj/argo-cd/security/advisories/GHSA-7943-82jg-wmw5 • CWE-295: Improper Certificate Validation CWE-599: Missing Validation of OpenSSL Certificate •