CVE-2023-22482: 
Argo CD vulnerability analysis and mitigation

Argo CD, a declarative GitOps continuous delivery tool for Kubernetes, was found to contain an improper authorization vulnerability (CVE-2023-22482) affecting versions starting from v1.8.2 and prior to 2.3.13, 2.4.19, 2.5.6, and 2.6.0-rc-3. The vulnerability was discovered by Vladimir Pouzanov from Indeed and disclosed in January 2023 (GitHub Advisory).

The vulnerability stems from Argo CD's failure to validate the JWT audience ('aud') claim in tokens. While Argo CD validates that tokens are signed by its configured OIDC provider, it does not verify the audience claim, allowing it to accept tokens intended for other services. This improper authorization bug causes the API to accept certain invalid tokens. The vulnerability has received a CVSS v3.1 base score of 9.0 (Critical) with a vector string of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H (GitHub Advisory).

If Argo CD's configured OIDC provider serves multiple audiences (such as a file storage service), the system will accept tokens intended for those other audiences. This allows unauthorized access as Argo CD will grant user privileges based on the token's groups claim, even when these groups were not intended for Argo CD usage. Additionally, the vulnerability increases the impact of stolen tokens, as attackers can use tokens intended for different services to access Argo CD (GitHub Advisory).

The vulnerability has been patched in Argo CD versions 2.6.0-rc5, v2.5.8, v2.4.20, and v2.3.14. The patch introduces a new 'allowedAudiences' configuration in the OIDC config block, with the client ID set as the default allowed audience. No workarounds are available besides upgrading to a patched version (GitHub Advisory).