Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2022-31105

Опубликовано: 12 июл. 2022
Источник: nvd
CVSS3: 8.3
CVSS3: 9.6
CVSS2: 5.1
EPSS Низкий

Описание

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.4.0 and prior to 2.2.11, 2.3.6, and 2.4.5 is vulnerable to an improper certificate validation bug which could cause Argo CD to trust a malicious (or otherwise untrustworthy) OpenID Connect (OIDC) provider. A patch for this vulnerability has been released in Argo CD versions 2.4.5, 2.3.6, and 2.2.11. There are no complete workarounds, but a partial workaround is available. Those who use an external OIDC provider (not the bundled Dex instance), can mitigate the issue by setting the oidc.config.rootCA field in the argocd-cm ConfigMap. This mitigation only forces certificate validation when the API server handles login flows. It does not force certificate verification when verifying tokens on API calls.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*
Версия от 2.3.0 (включая) до 2.3.6 (исключая)
cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*
Версия от 2.4.0 (включая) до 2.4.5 (исключая)
cpe:2.3:a:linuxfoundation:argo-cd:*:*:*:*:*:*:*:*
Версия от 0.4.0 (включая) до 2.2.11 (исключая)

EPSS

Процентиль: 48%
0.00254
Низкий

8.3 High

CVSS3

9.6 Critical

CVSS3

5.1 Medium

CVSS2

Дефекты

CWE-295
CWE-295

Связанные уязвимости

redhat логотип

CVE-2022-31105

CVSS3: 8.3
redhat
больше 3 лет назад

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.4.0 and prior to 2.2.11, 2.3.6, and 2.4.5 is vulnerable to an improper certificate validation bug which could cause Argo CD to trust a malicious (or otherwise untrustworthy) OpenID Connect (OIDC) provider. A patch for this vulnerability has been released in Argo CD versions 2.4.5, 2.3.6, and 2.2.11. There are no complete workarounds, but a partial workaround is available. Those who use an external OIDC provider (not the bundled Dex instance), can mitigate the issue by setting the `oidc.config.rootCA` field in the `argocd-cm` ConfigMap. This mitigation only forces certificate validation when the API server handles login flows. It does not force certificate verification when verifying tokens on API calls.

github логотип

GHSA-7943-82jg-wmw5

CVSS3: 8.3
github
больше 3 лет назад

Argo CD certificate verification is skipped for connections to OIDC providers

fstec логотип

BDU:2022-04887

CVSS3: 9.6
fstec
больше 3 лет назад

Уязвимость инструмента автоматизации развертывания приложений в Kubernetes ArgoCD, связанная с ошибками процедуры подтверждения подлинности сертификата, позволяющая нарушителю проводить спуфинг-атаки

EPSS

Процентиль: 48%
0.00254
Низкий

8.3 High

CVSS3

9.6 Critical

CVSS3

5.1 Medium

CVSS2

Дефекты

CWE-295
CWE-295