#VU63413 Authentication Bypass by Spoofing in Argo CD - CVE-2022-29165
Published: May 19, 2022 / Updated: May 19, 2022
Vulnerability identifier: #VU63413
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2022-29165
CWE-ID: CWE-290
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Argo CD
Argo CD
Software vendor:
Argo
Argo
Description
The vulnerability allows a remote attacker to compromise the affected application.
The vulnerability exists due to an error in the authentication process. A remote non-authenticated attacker can send a specifically crafted JSON Web Token (JWT) along with the request and impersonate any Argo CD user or role, including the admin user.
Successful exploitation of the vulnerability requires that anonymous access to the Argo CD instance is enabled.
Remediation
Install updates from vendor's website.