Bug 2160492 (CVE-2023-22482)
Summary: | CVE-2023-22482 ArgoCD: JWT audience claim is not verified | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Marco Benatto <mbenatto> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | ellin, rgarg, scorneli, security-response-team, shbose, ubhargav |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | ArgoCD-2.6.0-rc5, ArgoCD-2.5.8, ArgoCD-2.4.20, ArgoCD-2.3.14 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in ArgoCD. GitOps is vulnerable to an improper authorization bug where the API may accept invalid tokens. ID providers include an audience claim in signed tokens, which may be used to restrict which services can accept the token. ArgoCD doesn't properly validate the audience claim in such scenarios; if the ID provider used with ArgoCD is also being used with other audiences, it will accept tokens that may not be intended to access the ArgoCD cluster.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2023-01-28 06:22:12 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 2160487 |
Description
Marco Benatto
2023-01-12 15:20:03 UTC
This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.6 Via RHSA-2023:0466 https://access.redhat.com/errata/RHSA-2023:0466 This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.7 Via RHSA-2023:0467 https://access.redhat.com/errata/RHSA-2023:0467 This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.5 Via RHSA-2023:0468 https://access.redhat.com/errata/RHSA-2023:0468 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-22482 For exploit this issue the attacker needs to use a signed token by OIDC provider, meaning it should have at least some degree of privileges is required to accomplish a successful attack. |