Bug 2081686 (CVE-2022-29165)

Summary: CVE-2022-29165 argocd: ArgoCD will blindly trust JWT claims if anonymous access is enabled
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: mbenatto, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the ArgoCD component of Red Hat GitOps, where an unauthenticated attacker can craft a malicious JWT token while ArgoCD's anonymous access is enabled and gains full access to the ArgoCD instance. This flaw allows the attacker to impersonate any ArgoCD user or role, fully compromising the targeted cluster's confidentiality, integrity, and availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-19 02:37:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2081692    

Description Avinash Hanwate 2022-05-04 11:37:31 UTC 
A critical vulnerability has been discovered in Argo CD which would allow unauthenticated users to impersonate any Argo CD user or role, including
the admin user, by sending a specifically crafted JSON Web Token (JWT) along with the request. In order for this vulnerability to be exploited,
anonymous access to the Argo CD instance must have been enabled.
Comment 15 errata-xmlrpc 2022-05-18 19:43:21 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.3

Via RHSA-2022:4671 https://access.redhat.com/errata/RHSA-2022:4671
Comment 16 errata-xmlrpc 2022-05-18 21:21:59 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.5

Via RHSA-2022:4690 https://access.redhat.com/errata/RHSA-2022:4690
Comment 17 errata-xmlrpc 2022-05-18 22:05:07 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.3

Via RHSA-2022:4691 https://access.redhat.com/errata/RHSA-2022:4691
Comment 18 errata-xmlrpc 2022-05-18 22:05:31 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.4

Via RHSA-2022:4692 https://access.redhat.com/errata/RHSA-2022:4692
Comment 19 Product Security DevOps Team 2022-05-19 02:37:09 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-29165