Multiple vulnerabilities in Argo CD
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
Updated: 19.05.2022
Updated list of affected versions, added links to vendor's advisories. For vulnerability #VU63411 updated CVSS score and description.
1) Authentication Bypass by Spoofing
EUVDB-ID: #VU63413
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-29165
CWE-ID:
CWE-290 - Authentication Bypass by Spoofing
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected application.
The vulnerability exists due to an error in the authentication process. A remote non-authenticated attacker can send a specifically crafted JSON Web Token (JWT) along with the request and impersonate any Argo CD user or role, including the admin user.
Successful exploitation of the vulnerability requires that anonymous access to the Argo CD instance is enabled.
Install updates from vendor's website.
Vulnerable software versionsArgo CD: 1.4.0 - 2.3.3
CPE2.3- cpe:2.3:a:argo:argo-cd:1.4.3:*:*:*:*:kubernetes:*:*
- cpe:2.3:a:argo:argo-cd:1.5.8:*:*:*:*:kubernetes:*:*
- cpe:2.3:a:argo:argo-cd:1.6.2:*:*:*:*:kubernetes:*:*
- cpe:2.3:a:argo:argo-cd:1.7.14:*:*:*:*:kubernetes:*:*
- cpe:2.3:a:argo:argo-cd:1.8.7:*:*:*:*:kubernetes:*:*
- cpe:2.3:a:argo:argo-cd:2.0.5:*:*:*:*:kubernetes:*:*
- cpe:2.3:a:argo:argo-cd:2.1.14:*:*:*:*:kubernetes:*:*
- cpe:2.3:a:argo:argo-cd:2.2.8:*:*:*:*:kubernetes:*:*
- cpe:2.3:a:argo:argo-cd:2.3.3:*:*:*:*:kubernetes:*:*
https://bugzilla.redhat.com/show_bug.cgi?id=2081686
https://github.com/argoproj/argo-cd/security/advisories/GHSA-r642-gv9p-2wjj
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Spoofing attack
EUVDB-ID: #VU63412
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-24905
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of user-supplied data. A remote attacker can trick the victim to visit a specially crafted link and spoof messages on the login screen when SSO is enabled.
Install updates from vendor's website.
Vulnerable software versionsArgo CD: 0.6.1 - 2.3.3
CPE2.3- cpe:2.3:a:argo:argo-cd:0.6.2:*:*:*:*:kubernetes:*:*
- cpe:2.3:a:argo:argo-cd:0.7.2:*:*:*:*:kubernetes:*:*
- cpe:2.3:a:argo:argo-cd:0.8.2:*:*:*:*:kubernetes:*:*
- cpe:2.3:a:argo:argo-cd:0.9.2:*:*:*:*:kubernetes:*:*
- cpe:2.3:a:argo:argo-cd:0.12.3:*:*:*:*:kubernetes:*:*
- cpe:2.3:a:argo:argo-cd:1.0.2:*:*:*:*:kubernetes:*:*
- cpe:2.3:a:argo:argo-cd:1.1.2:*:*:*:*:kubernetes:*:*
- cpe:2.3:a:argo:argo-cd:1.2.5:*:*:*:*:kubernetes:*:*
- cpe:2.3:a:argo:argo-cd:1.3.6:*:*:*:*:kubernetes:*:*
https://bugzilla.redhat.com/show_bug.cgi?id=2081689
https://github.com/argoproj/argo-cd/security/advisories/GHSA-xmg8-99r8-jc2j
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) UNIX symbolic link following
EUVDB-ID: #VU63411
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-24904
CWE-ID:
CWE-61 - UNIX Symbolic Link (Symlink) Following
Exploit availability: No
DescriptionThe vulnerability allows a remote user to escalate privileges on the system.
The vulnerability exists due to a symlink following issue. A remote user with repository write access can create a specially crafted symbolic link to a critical file and leak sensitive files from Argo CD's repo-server, such as manifests and JSON files.
MitigationInstall updates from vendor's website.
Vulnerable software versionsArgo CD: 0.7.0 - 2.3.3
CPE2.3https://bugzilla.redhat.com/show_bug.cgi?id=2081691
https://github.com/argoproj/argo-cd/security/advisories/GHSA-6gcg-hp2x-q54h
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
