CVE-2022-31105 : What You Need to Know

Argo CD's certificate verification is skipped for connections to OIDC providers.

Understanding CVE-2022-31105

Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes, versions 0.4.0 to 2.2.11, 2.3.6, and 2.4.5 are vulnerable to an improper certificate validation bug.

What is CVE-2022-31105?

Argo CD fails to validate certificates for connections to OpenID Connect (OIDC) providers, potentially allowing malicious providers to be trusted.

The Impact of CVE-2022-31105

The vulnerability poses a high risk with a CVSS base score of 8.3, affecting confidentiality, integrity, and availability.

Technical Details of CVE-2022-31105

The vulnerability involves improper certificate validation, affecting systems running vulnerable versions of Argo CD.

Vulnerability Description

Argo CD versions between 0.4.0 to 2.2.11, 2.3.6, and 2.4.5 skip certificate validation for OIDC provider connections, opening the door to potential trust exploitation.

Affected Systems and Versions

Systems using Argo CD versions starting from 0.4.0 up to 2.2.11, 2.3.6, and 2.4.5 are impacted by this vulnerability.

Exploitation Mechanism

The bug could enable attackers to deceive Argo CD into trusting unauthorized or malicious OIDC providers, compromising security integrity.

Mitigation and Prevention

Taking immediate action is necessary to secure your system and data.

Immediate Steps to Take

Apply the provided patches by updating to versions 2.4.5, 2.3.6, or 2.2.11 as soon as possible. Additionally, consider implementing the partial workaround described below.

Long-Term Security Practices

Follow secure certificate validation practices and regularly update Argo CD to the latest versions to prevent similar vulnerabilities.

Patching and Updates

Install the released patches for versions 2.4.5, 2.3.6, and 2.2.11 to address the certificate validation vulnerability effectively.