CVE-2022-29165: 
Argo CD vulnerability analysis and mitigation

A critical vulnerability (CVE-2022-29165) was discovered in Argo CD versions 1.4.0 through 2.1.14, 2.2.8, and 2.3.3. The vulnerability allows an unauthenticated attacker to craft a malicious JWT token while ArgoCD's anonymous access is enabled, potentially gaining full access to the ArgoCD instance (GitHub Advisory, Red Hat CVE).

The vulnerability enables attackers to impersonate any ArgoCD user or role, including the admin user, by sending a specifically crafted JSON Web Token (JWT) along with the request. This flaw is exploitable when anonymous access to the Argo CD instance is enabled, though it's disabled by default. The vulnerability has received a CVSS v3.1 base score of 10.0 (Critical), with attack vector being Network, attack complexity Low, and requiring no privileges or user interaction (GitHub Advisory).

The vulnerability allows attackers to escalate their privileges to cluster admin level in default installations, enabling them to create, manipulate, and delete any resource on the cluster. Additionally, attackers can exfiltrate data by deploying malicious workloads with elevated privileges, bypassing any redaction of sensitive data enforced by the Argo CD API (GitHub Advisory, Red Hat Solution).

The vulnerability has been patched in Argo CD versions 2.3.4, 2.2.9, and 2.1.15. For users unable to upgrade immediately, the primary workaround is to disable anonymous access by either removing the users.anonymous.enabled field or setting it to 'false' in the argocd-cm ConfigMap (GitHub Advisory, GitHub Releases).