Bug 2081686 (CVE-2022-29165)
Summary: | CVE-2022-29165 argocd: ArgoCD will blindly trust JWT claims if anonymous access is enabled | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Avinash Hanwate <ahanwate> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | mbenatto, security-response-team |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A flaw was found in the ArgoCD component of Red Hat GitOps, where an unauthenticated attacker can craft a malicious JWT token while ArgoCD's anonymous access is enabled and gains full access to the ArgoCD instance. This flaw allows the attacker to impersonate any ArgoCD user or role, fully compromising the targeted cluster's confidentiality, integrity, and availability.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2022-05-19 02:37:11 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 2081692 |
Description
Avinash Hanwate
2022-05-04 11:37:31 UTC
This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.3 Via RHSA-2022:4671 https://access.redhat.com/errata/RHSA-2022:4671 This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.5 Via RHSA-2022:4690 https://access.redhat.com/errata/RHSA-2022:4690 This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.3 Via RHSA-2022:4691 https://access.redhat.com/errata/RHSA-2022:4691 This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.4 Via RHSA-2022:4692 https://access.redhat.com/errata/RHSA-2022:4692 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-29165 |