Authentication Bypass Affecting github.com/argoproj/argo-cd/v2/server package, versions >=1.4.0 <2.1.15 >=2.2.8 <2.2.9 >=2.3.3 <2.3.4

Affected versions of this package are vulnerable to Authentication Bypass by sending a specifically crafted JSON Web Token (JWT) along with the request, as ARGO-CD will trust invalid JWT. Exploiting this vulnerability allow unauthenticated users to impersonate any Argo CD user or role, including the built-in admin account regardless of whether that account is enabled or disabled.

Note: In order for this vulnerability to be exploited, anonymous access to the Argo CD instance must have been enabled.

Disable anonymous access:

If you are not able to upgrade to a patched version quickly, we highly suggest disabling anonymous access if it is enabled.

To find out whether anonymous access is enabled for your Argo CD instance, you can query the argocd-cm ConfigMap in the Argo CD's installation namespace. The below example assumes you have installed Argo CD to the argocd namespace:

$ kubectl get -n argocd cm argocd-cm -o jsonpath='{.data.users\.anonymous\.enabled}'

If the result of this command is either empty or false, anonymous access to that instance is not enabled. If the result is true, your instance is vulnerable.

To disable anonymous access, patch the argocd-cm ConfigMap to either remove the users.anonymous.enabled field or set this field to false.

To set the field to false:

$ kubectl patch -n argocd cm argocd-cm --type=json -p='[{"op":"add", "path":"/data/users.anonymous.enabled", "value":"false"}]'

Or you can remove the field completely, thus disabling anonymous access because the default is false:

$ kubectl patch -n argocd cm argocd-cm --type=json -p='[{"op":"remove", "path":"/data/users.anonymous.enabled"}]'

• GitHub Commit
• GitHub Release