Improper Restriction of Security Token Assignment Affecting github.com/argoproj/argo-cd/v2/util/session package, versions >=2.6.0-rc1 <2.6.0-rc5 >=2.5.0 <2.5.8 >=2.4.0 <2.4.20 <2.3.14


Severity

Recommended
0.0
critical
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.1% (44th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-GOLANG-GITHUBCOMARGOPROJARGOCDV2UTILSESSION-3248495
  • published 26 Jan 2023
  • disclosed 25 Jan 2023
  • credit Unknown

How to fix?

Upgrade github.com/argoproj/argo-cd/v2/util/session to version 2.6.0-rc5, 2.5.8, 2.4.20, 2.3.14 or higher.

Overview

github.com/argoproj/argo-cd/v2/util/session is a declarative, GitOps continuous delivery tool for Kubernetes.

Affected versions of this package are vulnerable to Improper Restriction of Security Token Assignment causing the API to accept certain invalid tokens.

OIDC providers include an aud (audience) claim in signed tokens. The value of that claim specifies the intended audience(s) of the token (i.e. the service or services which are meant to accept the token). Argo CD does validate that the token was signed by Argo CD's configured OIDC provider. But Argo CD does not validate the audience claim, so it will accept tokens that are not intended for Argo CD. If Argo CD's configured OIDC provider also serves other audiences (for example, a file storage service), then Argo CD will accept a token intended for one of those other audiences. Argo CD will grant the user privileges based on the token's groups claim, even though those groups were not intended to be used by Argo CD. This also increases the blast radius of a stolen token. If an attacker steals a valid token for a different audience, they can use it to access Argo CD.

References

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
9 critical
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    High
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Changed
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    High
Expand this section

NVD

8.8 high