2081686 – (CVE-2022-29165) CVE-2022-29165 argocd: ArgoCD will blindly trust JWT claims if anonymous access is enabled

Bug 2081686 (CVE-2022-29165) - CVE-2022-29165 argocd: ArgoCD will blindly trust JWT claims if anonymous access is enabled

Summary: CVE-2022-29165 argocd: ArgoCD will blindly trust JWT claims if anonymous acce...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-29165
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2081692
TreeView+	depends on / blocked

Reported:	2022-05-04 11:37 UTC by Avinash Hanwate
Modified:	2022-07-07 15:58 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the ArgoCD component of Red Hat GitOps, where an unauthenticated attacker can craft a malicious JWT token while ArgoCD's anonymous access is enabled and gains full access to the ArgoCD instance. This flaw allows the attacker to impersonate any ArgoCD user or role, fully compromising the targeted cluster's confidentiality, integrity, and availability.
Clone Of:
Environment:
Last Closed:	2022-05-19 02:37:11 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2022:4671	None	None	None	2022-05-18 19:43:24 UTC
Red Hat Product Errata	RHSA-2022:4690	None	None	None	2022-05-18 21:22:01 UTC
Red Hat Product Errata	RHSA-2022:4691	None	None	None	2022-05-18 22:05:09 UTC
Red Hat Product Errata	RHSA-2022:4692	None	None	None	2022-05-18 22:05:33 UTC

Description Avinash Hanwate 2022-05-04 11:37:31 UTC

A critical vulnerability has been discovered in Argo CD which would allow unauthenticated users to impersonate any Argo CD user or role, including
the admin user, by sending a specifically crafted JSON Web Token (JWT) along with the request. In order for this vulnerability to be exploited,
anonymous access to the Argo CD instance must have been enabled.

Comment 15 errata-xmlrpc 2022-05-18 19:43:21 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.3

Via RHSA-2022:4671 https://access.redhat.com/errata/RHSA-2022:4671

Comment 16 errata-xmlrpc 2022-05-18 21:21:59 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.5

Via RHSA-2022:4690 https://access.redhat.com/errata/RHSA-2022:4690

Comment 17 errata-xmlrpc 2022-05-18 22:05:07 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.3

Via RHSA-2022:4691 https://access.redhat.com/errata/RHSA-2022:4691

Comment 18 errata-xmlrpc 2022-05-18 22:05:31 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.4

Via RHSA-2022:4692 https://access.redhat.com/errata/RHSA-2022:4692

Comment 19 Product Security DevOps Team 2022-05-19 02:37:09 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-29165

Note You need to log in before you can comment on or make changes to this bug.