CVE-2022-31105: 
Argo CD vulnerability analysis and mitigation

Argo CD, a declarative GitOps continuous delivery tool for Kubernetes, was found to contain an improper certificate validation vulnerability (CVE-2022-31105). The vulnerability affects versions from 0.4.0 up to versions 2.2.11, 2.3.6, and 2.4.5. This security flaw could cause Argo CD to trust a malicious or untrustworthy OpenID Connect (OIDC) provider (GitHub Advisory).

The vulnerability stems from a certificate verification being skipped when connecting to OIDC providers for tasks including verifying auth tokens on API requests and handling SSO login flows. The issue received a CVSS v3.1 base score of 9.6 (Critical) from NVD and 8.3 (High) from GitHub, with a vector string of CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H. The vulnerability is classified under CWE-295 (Improper Certificate Validation) and CWE-599 (Missing Validation of OpenSSL Certificate) (NVD).

The vulnerability could allow an attacker to perform machine-in-the-middle attacks. If an attacker successfully intercepts, decrypts, and responds to requests bound for the configured OIDC provider, they could potentially issue a 'valid' admin token. This affects systems that have SSO enabled and where insecure mode is not enabled on the API server (GitHub Advisory).

The vulnerability has been patched in Argo CD versions 2.4.5, 2.3.6, and 2.2.11. For users unable to upgrade immediately, a partial workaround exists for those using an external OIDC provider by setting the oidc.config.rootCA field in the argocd-cm ConfigMap. However, this mitigation only forces certificate validation during API server login flows and does not address token verification on API calls (GitHub Advisory).