CVE-2022-31105
Argo CD's certificate verification is skipped for connections to OIDC providers
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.4.0 and prior to 2.2.11, 2.3.6, and 2.4.5 is vulnerable to an improper certificate validation bug which could cause Argo CD to trust a malicious (or otherwise untrustworthy) OpenID Connect (OIDC) provider. A patch for this vulnerability has been released in Argo CD versions 2.4.5, 2.3.6, and 2.2.11. There are no complete workarounds, but a partial workaround is available. Those who use an external OIDC provider (not the bundled Dex instance), can mitigate the issue by setting the `oidc.config.rootCA` field in the `argocd-cm` ConfigMap. This mitigation only forces certificate validation when the API server handles login flows. It does not force certificate verification when verifying tokens on API calls.
Argo CD es una herramienta declarativa de entrega continua GitOps para Kubernetes. Argo CD a partir de la versión 0.4.0 y anteriores a 2.2.11, 2.3.6 y 2.4.5 es vulnerable a un error de comprobación de certificados inapropiado que podría causar que Argo CD confíe en un proveedor de OpenID Connect (OIDC) malicioso (o que no sea confiable). Ha sido publicado un parche para esta vulnerabilidad en versiones 2.4.5, 2.3.6 y 2.2.11 de Argo CD. No se presentan mitigaciones completas, pero se presenta una mitigación parcial. Aquellos que usan un proveedor OIDC externo (no la instancia Dex incluida), pueden mitigar el problema al establecer el campo "oidc.config.rootCA" en "argocd-cm" ConfigMap. Esta mitigación sólo fuerza la comprobación del certificado cuando el servidor de la API maneja los flujos de inicio de sesión. No fuerza la verificación del certificado cuando son verificados los tokens en las llamadas a la API
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-05-18 CVE Reserved
- 2022-07-12 CVE Published
- 2024-03-02 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-295: Improper Certificate Validation
- CWE-599: Missing Validation of OpenSSL Certificate
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| https://github.com/argoproj/argo-cd/releases/tag/v2.3.6 | Release Notes | |
| https://github.com/argoproj/argo-cd/releases/tag/v2.4.5 | Release Notes | |
| https://github.com/argoproj/argo-cd/security/advisories/GHSA-7943-82jg-wmw5 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linuxfoundation Search vendor "Linuxfoundation" | Argo-cd Search vendor "Linuxfoundation" for product "Argo-cd" | >= 0.4.0 < 2.2.11 Search vendor "Linuxfoundation" for product "Argo-cd" and version " >= 0.4.0 < 2.2.11" | - |
Affected
| ||||||
| Linuxfoundation Search vendor "Linuxfoundation" | Argo-cd Search vendor "Linuxfoundation" for product "Argo-cd" | >= 2.3.0 < 2.3.6 Search vendor "Linuxfoundation" for product "Argo-cd" and version " >= 2.3.0 < 2.3.6" | - |
Affected
| ||||||
| Linuxfoundation Search vendor "Linuxfoundation" | Argo-cd Search vendor "Linuxfoundation" for product "Argo-cd" | >= 2.4.0 < 2.4.5 Search vendor "Linuxfoundation" for product "Argo-cd" and version " >= 2.4.0 < 2.4.5" | - |
Affected
| ||||||