github.com/argoproj/argo-cd is vulnerable to Improper Authorization. The library does not validate the audience claim from signed-in tokens granting a malicious userβs privileges based on the tokenβs group claim, even though these groups were not intended, causing the API to accept certain invalid tokens.
github.com/advisories/GHSA-q9hr-j4rf-8fjc
github.com/argoproj/argo-cd/commit/20c63babca50a1ab97a4f7595988c27090259e0d
github.com/argoproj/argo-cd/commit/50b9f19d3c58191954e4e06e6b299c5fa1d02317
github.com/argoproj/argo-cd/commit/79baabc8374610e177eb8fc9ddfcbcd4254c0ad7
github.com/argoproj/argo-cd/commit/8a7f8414667ba4a1673e5aa4afa851aa8ebbb3d3
github.com/argoproj/argo-cd/security/advisories/GHSA-q9hr-j4rf-8fjc