x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: GHSA-q9hr-j4rf-8fjc

[GoVulnBot]

In GitHub Security Advisory GHSA-q9hr-j4rf-8fjc, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/argoproj/argo-cd	2.6.0-rc5	>= 2.6.0-rc1, < 2.6.0-rc5

Cross references:

• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24348 #304 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24730 #357 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24731 #358 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24768 #359 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: GHSA-6w87-g839-9wv7 #387 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24904 #453 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24905 #454 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-29165 #455 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31016 #495 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31034 #497 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31035 #498 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31036 #499 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-1025 #516 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31102 #517 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31105 #518 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/util/session: GHSA-vj54-cjrx-x696 #882 NOT_IMPORTABLE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/util/cache: GHSA-xcqr-9h24-vrgw #892 NOT_IMPORTABLE

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/argoproj/argo-cd
    versions:
      - introduced: 2.6.0-rc1
        fixed: 2.6.0-rc5
    packages:
      - package: github.com/argoproj/argo-cd
  - module: github.com/argoproj/argo-cd
    versions:
      - introduced: 2.5.0
        fixed: 2.5.8
    packages:
      - package: github.com/argoproj/argo-cd
  - module: github.com/argoproj/argo-cd
    versions:
      - introduced: 2.4.0
        fixed: 2.4.20
    packages:
      - package: github.com/argoproj/argo-cd
  - module: github.com/argoproj/argo-cd
    versions:
      - introduced: 1.8.2
        fixed: 2.3.14
    packages:
      - package: github.com/argoproj/argo-cd
description: "### Impact\n\nAll versions of Argo CD starting with v1.8.2 are vulnerable
    to an improper authorization bug causing the API to accept certain invalid tokens.\n\nOIDC
    providers include an `aud` (audience) claim in signed tokens. The value of that
    claim specifies the intended audience(s) of the token (i.e. the service or services
    which are meant to accept the token). Argo CD _does_ validate that the token was
    signed by Argo CD's configured OIDC provider. But Argo CD _does not_ validate
    the audience claim, so it will accept tokens that are not intended for Argo CD.\n\nIf
    Argo CD's configured OIDC provider also serves other audiences (for example, a
    file storage service), then Argo CD will accept a token intended for one of those
    other audiences. Argo CD will grant the user privileges based on the token's `groups`
    claim, even though those groups were not intended to be used by Argo CD.\n\nThis
    bug also increases the blast radius of a stolen token. If an attacker steals a
    valid token for a different audience, they can use it to access Argo CD.\n\n###
    Patches\n\nA patch for this vulnerability has been released in the following Argo
    CD versions:\n\n* v2.6.0-rc5\n* v2.5.8\n* v2.4.20\n* v2.3.14\n\nThe patch introduces
    a new `allowedAudiences` to the OIDC config block. By default, the client ID is
    the only allowed audience. Users who _want_ Argo CD to accept tokens intended
    for a different audience may use `allowedAudiences` to specify those audiences.\n\n```yaml\napiVersion:
    v1\nkind: ConfigMap\nmetadata:\n  name: argocd-cm\ndata:\n  oidc.config: |\n    name:
    Example\n    allowedAudiences:\n    - audience-1\n    - audience-2\n    - argocd-client-id
    \ # If `allowedAudiences` is non-empty, Argo CD's client ID must be explicitly
    added if you want to allow it.\n```\n\nEven though [the OIDC spec requires the
    audience claim](https://openid.net/specs/openid-connect-core-1_0.html#IDToken),
    some tokens may not include it. To avoid a breaking change in a patch release,
    versions < 2.6.0 of Argo CD will skip the audience claim check for tokens that
    have no audience. In versions >= 2.6.0, Argo CD will reject all tokens which do
    not have an audience claim. Users can opt into the old behavior by setting an
    option:\n\n```yaml\napiVersion: v1\nkind: ConfigMap\nmetadata:\n  name: argocd-cm\ndata:\n
    \ oidc.config: |\n    name: Example\n    skipAudienceCheckWhenTokenHasNoAudience:
    true\n```\n\n### Workarounds\n\nThere is no workaround besides upgrading.\n\n###
    Credits \n\nThe Argo CD team would like to express their gratitude to Vladimir
    Pouzanov (@farcaller) from Indeed, who discovered the issue, reported it confidentially
    according to our [guidelines](https://github.com/argoproj/argo-cd/blob/master/SECURITY.md#reporting-a-vulnerability),
    and actively worked with the project to provide a remedy. Many thanks to Vladimir!\n\n###
    References\n\n* [How to configure OIDC in Argo CD](https://argo-cd.readthedocs.io/en/latest/operator-manual/user-management/#existing-oidc-provider)\n*
    [OIDC spec section discussing the audience claim](https://openid.net/specs/openid-connect-core-1_0.html#IDToken)\n*
    [JWT spec section discussing the audience claim](https://www.rfc-editor.org/rfc/rfc7519#section-4.1.3)\n\n###
    For more information\n\n* Open an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues)
    or [discussions](https://github.com/argoproj/argo-cd/discussions)\n* Join us on
    [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd\n"
cves:
  - CVE-2023-22482
ghsas:
  - GHSA-q9hr-j4rf-8fjc

[gopherbot]

Change https://go.dev/cl/466475 mentions this issue: data/excluded: batch add GO-2023-1527, GO-2023-1524, GO-2023-1516, GO-2023-1514, GO-2023-1513, GO-2023-1511, GO-2023-1523, GO-2023-1522, GO-2023-1520, GO-2023-1512