CVE-2023-22482: Critical-Severity Flaw in Argo CD

Users of the Argo continuous deployment (CD) tool for Kubernetes are being urged to push through updates after two vulnerabilities were found that could allow an attacker to access Argo CD and deploy Applications outside the configured allowed namespaces.

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It is implemented as a kubernetes controller which continuously monitors running applications and compares the current, live state against the desired target state (as specified in the Git repo).

Argo CD is officially used by 257 organizations, including Alibaba Group, BMW Group, Deloitte, Gojek, IBM, Intuit, LexisNexis, Red Hat, Skyscanner, Swisscom, Tesla, and Ticketmaster.

The flaw, tagged as CVE-2023-22482 (CVSS score of 9.0), affects versions 1.8.2 through 2.6.0-rc4, v2.5.7, v2.4.18, and v2.3.13 and has been addressed in versions 2.6.0-rc5, v2.5.8, v2.4.20, and v2.3.14. Vladimir Pouzanov (@farcaller) from Indeed has been credited with discovering and reporting the bug.

All versions of Argo CD starting with v1.8.2 are vulnerable to an improper authorization bug causing the API to accept certain invalid tokens.” the Argo CD developers wrote.

OIDC providers include an aud (audience) claim in signed tokens. The value of that claim specifies the intended audience(s) of the token (i.e. the service or services which are meant to accept the token). Argo CD does validate that the token was signed by Argo CD’s configured OIDC provider. But Argo CD does not validate the audience claim, so it will accept tokens that are not intended for Argo CD.

Argo CD users are advised to update to a patched version of the platform as soon as possible as no workarounds are available for CVE-2023-22482.

Tracked as CVE-2023-22736 (CVSS score of 8.5), the vulnerability is an authorization bypass that allows an attacker to deploy Applications outside the configured allowed namespaces. The patch for this vulnerability was included in the Argo CD releases 2.5.8, and 2.6.0-rc5.

There is a workaround for this vulnerability without upgrading –

Running only one replica of the Application controller will prevent the exploitation of this bug. Making sure all AppProjects’ sourceNamespaces are restricted within the confines of the configured Application namespaces will also prevent exploitation of this bug.