Authentication Bypass Affecting github.com/argoproj/argo-cd/v2/util/session Open this link in a new tab package, versions >=1.4.0 <2.1.15 >=2.2.8 <2.2.9 >=2.3.3 <2.3.4


0.0
critical
  • Attack Complexity

    High

  • Scope

    Changed

  • Confidentiality

    High

  • Integrity

    High

  • Availability

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-GOLANG-GITHUBCOMARGOPROJARGOCDV2UTILSESSION-2838951

  • published

    19 May 2022

  • disclosed

    18 May 2022

  • credit

    Mark Pim, Andrzej Hajto

How to fix?

Upgrade github.com/argoproj/argo-cd/v2/util/session to version 2.1.15, 2.2.9, 2.3.4 or higher.

Overview

github.com/argoproj/argo-cd/v2/util/session is a declarative, GitOps continuous delivery tool for Kubernetes.

Affected versions of this package are vulnerable to Authentication Bypass by sending a specifically crafted JSON Web Token (JWT) along with the request, as ARGO-CD will trust invalid JWT. Exploiting this vulnerability allow unauthenticated users to impersonate any Argo CD user or role, including the built-in admin account regardless of whether that account is enabled or disabled.

Note: In order for this vulnerability to be exploited, anonymous access to the Argo CD instance must have been enabled.

Workarounds:

Disable anonymous access:

If you are not able to upgrade to a patched version quickly, we highly suggest disabling anonymous access if it is enabled.

To find out whether anonymous access is enabled for your Argo CD instance, you can query the argocd-cm ConfigMap in the Argo CD's installation namespace. The below example assumes you have installed Argo CD to the argocd namespace:

$ kubectl get -n argocd cm argocd-cm -o jsonpath='{.data.users\.anonymous\.enabled}'

If the result of this command is either empty or false, anonymous access to that instance is not enabled. If the result is true, your instance is vulnerable.

To disable anonymous access, patch the argocd-cm ConfigMap to either remove the users.anonymous.enabled field or set this field to false.

To set the field to false:

$ kubectl patch -n argocd cm argocd-cm --type=json -p='[{"op":"add", "path":"/data/users.anonymous.enabled", "value":"false"}]'

Or you can remove the field completely, thus disabling anonymous access because the default is false:

$ kubectl patch -n argocd cm argocd-cm --type=json -p='[{"op":"remove", "path":"/data/users.anonymous.enabled"}]'