Authentication Bypass Affecting github.com/argoproj/argo-cd/v2/server package, versions >=1.4.0 <2.1.15 >=2.2.8 <2.2.9 >=2.3.3 <2.3.4


Severity

Recommended
0.0
critical
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.6% (79th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-GOLANG-GITHUBCOMARGOPROJARGOCDV2SERVER-2838950
  • published 19 May 2022
  • disclosed 18 May 2022
  • credit Mark Pim, Andrzej Hajto

How to fix?

Upgrade github.com/argoproj/argo-cd/v2/server to version 2.1.15, 2.2.9, 2.3.4 or higher.

Overview

Affected versions of this package are vulnerable to Authentication Bypass by sending a specifically crafted JSON Web Token (JWT) along with the request, as ARGO-CD will trust invalid JWT. Exploiting this vulnerability allow unauthenticated users to impersonate any Argo CD user or role, including the built-in admin account regardless of whether that account is enabled or disabled.

Note: In order for this vulnerability to be exploited, anonymous access to the Argo CD instance must have been enabled.

Workarounds:

Disable anonymous access:

If you are not able to upgrade to a patched version quickly, we highly suggest disabling anonymous access if it is enabled.

To find out whether anonymous access is enabled for your Argo CD instance, you can query the argocd-cm ConfigMap in the Argo CD's installation namespace. The below example assumes you have installed Argo CD to the argocd namespace:

$ kubectl get -n argocd cm argocd-cm -o jsonpath='{.data.users\.anonymous\.enabled}'

If the result of this command is either empty or false, anonymous access to that instance is not enabled. If the result is true, your instance is vulnerable.

To disable anonymous access, patch the argocd-cm ConfigMap to either remove the users.anonymous.enabled field or set this field to false.

To set the field to false:

$ kubectl patch -n argocd cm argocd-cm --type=json -p='[{"op":"add", "path":"/data/users.anonymous.enabled", "value":"false"}]'

Or you can remove the field completely, thus disabling anonymous access because the default is false:

$ kubectl patch -n argocd cm argocd-cm --type=json -p='[{"op":"remove", "path":"/data/users.anonymous.enabled"}]'

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
9 critical
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    High
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Changed
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    High
Expand this section

NVD

10 critical