CVE-2022-31105

moderate-risk

Published 2022-07-12

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.4.0 and prior to 2.2.11, 2.3.6, and 2.4.5 is vulnerable to an improper certificate validation bug which could cause Argo CD to trust a malicious (or otherwise untrustworthy) OpenID Connect (OIDC) provider. A patch for this vulnerability has been released in Argo CD versions 2.4.5, 2.3.6, and 2.2.11. There are no complete workarounds, but a partial workaround is available. Those who use an external OIDC provider (not the bundled Dex instance), can mitigate the issue by setting the `oidc.config.rootCA` field in the `argocd-cm` ConfigMap. This mitigation only forces certificate validation when the API server handles login flows. It does not force certificate verification when verifying tokens on API calls.

Do I need to act?

0.25% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.3/10 High

NETWORK / HIGH complexity

Affected Products (2)

Argo Cd

Argo-Cd

Affected Vendors

Linuxfoundation Argoproj

References (6)

Release Notes https://github.com/argoproj/argo-cd/releases/tag/v2.3.6

Release Notes https://github.com/argoproj/argo-cd/releases/tag/v2.4.5

Third Party Advisory https://github.com/argoproj/argo-cd/security/advisories/GHSA-7943-82jg-wmw5

Release Notes https://github.com/argoproj/argo-cd/releases/tag/v2.3.6

Release Notes https://github.com/argoproj/argo-cd/releases/tag/v2.4.5

Third Party Advisory https://github.com/argoproj/argo-cd/security/advisories/GHSA-7943-82jg-wmw5

/ 100

moderate-risk

Severity 25/34 · High

Exploitability 1/34 · Minimal

Exposure 7/34 · Low