Improper Restriction of Security Token Assignment Affecting github.com/argoproj/argo-cd/util/session package, versions >=1.8.2
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMARGOPROJARGOCDUTILSESSION-3248494
- published 26 Jan 2023
- disclosed 25 Jan 2023
- credit Unknown
Introduced: 25 Jan 2023
CVE-2023-22482 Open this link in a new tabHow to fix?
There is no fixed version for github.com/argoproj/argo-cd/util/session.
Overview
github.com/argoproj/argo-cd/util/session is a Declarative continuous deployment for Kubernetes.
Affected versions of this package are vulnerable to Improper Restriction of Security Token Assignment causing the API to accept certain invalid tokens.
OIDC providers include an aud (audience) claim in signed tokens. The value of that claim specifies the intended audience(s) of the token (i.e. the service or services which are meant to accept the token). Argo CD does validate that the token was signed by Argo CD's configured OIDC provider. But Argo CD does not validate the audience claim, so it will accept tokens that are not intended for Argo CD.
If Argo CD's configured OIDC provider also serves other audiences (for example, a file storage service), then Argo CD will accept a token intended for one of those other audiences. Argo CD will grant the user privileges based on the token's groups claim, even though those groups were not intended to be used by Argo CD.
This also increases the blast radius of a stolen token. If an attacker steals a valid token for a different audience, they can use it to access Argo CD.