Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: GHSA-q9hr-j4rf-8fjc #1520

Closed
GoVulnBot opened this issue Jan 25, 2023 · 2 comments
Closed

x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: GHSA-q9hr-j4rf-8fjc #1520

GoVulnBot opened this issue Jan 25, 2023 · 2 comments
Assignees
@maceonthompson
Labels
excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable.

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-q9hr-j4rf-8fjc, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/argoproj/argo-cd 2.6.0-rc5 >= 2.6.0-rc1, < 2.6.0-rc5

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/argoproj/argo-cd
    versions:
      - introduced: 2.6.0-rc1
        fixed: 2.6.0-rc5
    packages:
      - package: github.com/argoproj/argo-cd
  - module: github.com/argoproj/argo-cd
    versions:
      - introduced: 2.5.0
        fixed: 2.5.8
    packages:
      - package: github.com/argoproj/argo-cd
  - module: github.com/argoproj/argo-cd
    versions:
      - introduced: 2.4.0
        fixed: 2.4.20
    packages:
      - package: github.com/argoproj/argo-cd
  - module: github.com/argoproj/argo-cd
    versions:
      - introduced: 1.8.2
        fixed: 2.3.14
    packages:
      - package: github.com/argoproj/argo-cd
description: "### Impact\n\nAll versions of Argo CD starting with v1.8.2 are vulnerable
    to an improper authorization bug causing the API to accept certain invalid tokens.\n\nOIDC
    providers include an `aud` (audience) claim in signed tokens. The value of that
    claim specifies the intended audience(s) of the token (i.e. the service or services
    which are meant to accept the token). Argo CD _does_ validate that the token was
    signed by Argo CD's configured OIDC provider. But Argo CD _does not_ validate
    the audience claim, so it will accept tokens that are not intended for Argo CD.\n\nIf
    Argo CD's configured OIDC provider also serves other audiences (for example, a
    file storage service), then Argo CD will accept a token intended for one of those
    other audiences. Argo CD will grant the user privileges based on the token's `groups`
    claim, even though those groups were not intended to be used by Argo CD.\n\nThis
    bug also increases the blast radius of a stolen token. If an attacker steals a
    valid token for a different audience, they can use it to access Argo CD.\n\n###
    Patches\n\nA patch for this vulnerability has been released in the following Argo
    CD versions:\n\n* v2.6.0-rc5\n* v2.5.8\n* v2.4.20\n* v2.3.14\n\nThe patch introduces
    a new `allowedAudiences` to the OIDC config block. By default, the client ID is
    the only allowed audience. Users who _want_ Argo CD to accept tokens intended
    for a different audience may use `allowedAudiences` to specify those audiences.\n\n```yaml\napiVersion:
    v1\nkind: ConfigMap\nmetadata:\n  name: argocd-cm\ndata:\n  oidc.config: |\n    name:
    Example\n    allowedAudiences:\n    - audience-1\n    - audience-2\n    - argocd-client-id
    \ # If `allowedAudiences` is non-empty, Argo CD's client ID must be explicitly
    added if you want to allow it.\n```\n\nEven though [the OIDC spec requires the
    audience claim](https://openid.net/specs/openid-connect-core-1_0.html#IDToken),
    some tokens may not include it. To avoid a breaking change in a patch release,
    versions < 2.6.0 of Argo CD will skip the audience claim check for tokens that
    have no audience. In versions >= 2.6.0, Argo CD will reject all tokens which do
    not have an audience claim. Users can opt into the old behavior by setting an
    option:\n\n```yaml\napiVersion: v1\nkind: ConfigMap\nmetadata:\n  name: argocd-cm\ndata:\n
    \ oidc.config: |\n    name: Example\n    skipAudienceCheckWhenTokenHasNoAudience:
    true\n```\n\n### Workarounds\n\nThere is no workaround besides upgrading.\n\n###
    Credits \n\nThe Argo CD team would like to express their gratitude to Vladimir
    Pouzanov (@farcaller) from Indeed, who discovered the issue, reported it confidentially
    according to our [guidelines](https://github.com/argoproj/argo-cd/blob/master/SECURITY.md#reporting-a-vulnerability),
    and actively worked with the project to provide a remedy. Many thanks to Vladimir!\n\n###
    References\n\n* [How to configure OIDC in Argo CD](https://argo-cd.readthedocs.io/en/latest/operator-manual/user-management/#existing-oidc-provider)\n*
    [OIDC spec section discussing the audience claim](https://openid.net/specs/openid-connect-core-1_0.html#IDToken)\n*
    [JWT spec section discussing the audience claim](https://www.rfc-editor.org/rfc/rfc7519#section-4.1.3)\n\n###
    For more information\n\n* Open an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues)
    or [discussions](https://github.com/argoproj/argo-cd/discussions)\n* Join us on
    [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd\n"
cves:
  - CVE-2023-22482
ghsas:
  - GHSA-q9hr-j4rf-8fjc
@maceonthompson maceonthompson self-assigned this Feb 6, 2023
@maceonthompson maceonthompson added excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable. and removed excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. labels Feb 6, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/466475 mentions this issue: data/excluded: batch add GO-2023-1527, GO-2023-1524, GO-2023-1516, GO-2023-1514, GO-2023-1513, GO-2023-1511, GO-2023-1523, GO-2023-1522, GO-2023-1520, GO-2023-1512

@maceonthompson maceonthompson mentioned this issue Feb 8, 2023
Closed
@GoVulnBot GoVulnBot mentioned this issue Feb 16, 2023
Closed
@GoVulnBot GoVulnBot mentioned this issue Mar 27, 2023
Closed
This was referenced Aug 23, 2023
Closed
Closed
This was referenced Sep 8, 2023
Closed
Closed
@GoVulnBot GoVulnBot mentioned this issue Sep 27, 2023
Closed
@GoVulnBot GoVulnBot mentioned this issue Jan 19, 2024
Closed
This was referenced Mar 18, 2024
Closed
Closed
@GoVulnBot GoVulnBot mentioned this issue Apr 15, 2024
Closed
@GoVulnBot GoVulnBot mentioned this issue Apr 26, 2024
Closed
This was referenced May 21, 2024
Closed
Closed
This was referenced Jun 7, 2024
Closed
Closed
@GoVulnBot GoVulnBot mentioned this issue Jul 24, 2024
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/606782 mentions this issue: data/reports: unexclude 20 reports (2)

gopherbot pushed a commit that referenced this issue Aug 20, 2024
@tatianab @gopherbot
data/reports: unexclude 20 reports (2)
a585aa5 
  - data/reports/GO-2023-1512.yaml
  - data/reports/GO-2023-1520.yaml
  - data/reports/GO-2023-1524.yaml
  - data/reports/GO-2023-1527.yaml
  - data/reports/GO-2023-1533.yaml
  - data/reports/GO-2023-1541.yaml
  - data/reports/GO-2023-1542.yaml
  - data/reports/GO-2023-1543.yaml
  - data/reports/GO-2023-1544.yaml
  - data/reports/GO-2023-1550.yaml
  - data/reports/GO-2023-1551.yaml
  - data/reports/GO-2023-1552.yaml
  - data/reports/GO-2023-1553.yaml
  - data/reports/GO-2023-1554.yaml
  - data/reports/GO-2023-1555.yaml
  - data/reports/GO-2023-1560.yaml
  - data/reports/GO-2023-1577.yaml
  - data/reports/GO-2023-1581.yaml
  - data/reports/GO-2023-1582.yaml
  - data/reports/GO-2023-1583.yaml

Updates #1512
Updates #1520
Updates #1524
Updates #1527
Updates #1533
Updates #1541
Updates #1542
Updates #1543
Updates #1544
Updates #1550
Updates #1551
Updates #1552
Updates #1553
Updates #1554
Updates #1555
Updates #1560
Updates #1577
Updates #1581
Updates #1582
Updates #1583

Change-Id: I6a2829acd39b6e598b81e8138e6d126128073198
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606782
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@maceonthompson maceonthompson

Labels
excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gopherbot @maceonthompson @GoVulnBot