Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
redhatcveRedhat.comRH:CVE-2023-22482
HistoryJan 25, 2023 - 7:05 p.m.

CVE-2023-22482

2023-01-2519:05:58
redhat.com
access.redhat.com
29
argocd
gitops
improper authorization
invalid tokens
api
id providers
audience claim
signed tokens
validate

CVSS3

9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS

0.001

Percentile

43.2%

JSON

A flaw was found in ArgoCD. GitOps is vulnerable to an improper authorization bug where the API may accept invalid tokens. ID providers include an audience claim in signed tokens, which may be used to restrict which services can accept the token. ArgoCD doesn’t properly validate the audience claim in such scenarios; if the ID provider used with ArgoCD is also being used with other audiences, it will accept tokens that may not be intended to access the ArgoCD cluster.

Related

osv 3
veracode 1
hackerone 1
cve 1
prion 1
cvelist 1
nvd 1
github 1
wallarmlab 3
redhat 3
osv
osv
CVE-2023-22482
2023-01-26 21:18:12
JWT audience claim is not verified
2023-01-25 22:02:52
JWT audience claim is not verified in github.com/argoproj/argo-cd
2024-08-20 20:26:01
veracode
veracode
Improper Authorization
2023-02-03 07:29:48
hackerone
hackerone
Internet Bug Bounty: JWT audience claim is not verified
2023-02-28 18:06:26
cve
cve
CVE-2023-22482
2023-01-26 21:18:12
prion
prion
Authorization
2023-01-26 21:18:00
cvelist
cvelist
CVE-2023-22482 JWT audience claim is not verified
2023-01-25 18:25:15
nvd
nvd
CVE-2023-22482
2023-01-26 21:18:12
github
github
JWT audience claim is not verified
2023-01-25 22:02:52
wallarmlab
wallarmlab
Octopus Strike! Three Argo CD API Exploits In Two Weeks
2023-02-11 16:07:05
Don’t Let API Leaks Sink Your Ship | API Security Newsletter
2023-02-02 14:24:48
Predictions for 2023 from Latest API Threat Research | API Security Newsletter
2023-03-09 13:10:48
redhat
redhat
(RHSA-2023:0466) Important: Red Hat OpenShift GitOps security update
2023-01-25 20:21:54
(RHSA-2023:0468) Important: Red Hat OpenShift GitOps security update
2023-01-25 20:47:16
(RHSA-2023:0467) Important: Red Hat OpenShift GitOps security update
2023-01-25 20:30:21

CVSS3

9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS

0.001

Percentile

43.2%

JSON
Related for RH:CVE-2023-22482
osv3veracode1hackerone1cve1prion1cvelist1nvd1github1wallarmlab3redhat3