Vulnerability Details : CVE-2022-24768
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All unpatched versions of Argo CD starting with 1.0.0 are vulnerable to an improper access control bug, allowing a malicious user to potentially escalate their privileges to admin-level. Versions starting with 0.8.0 and 0.5.0 contain limited versions of this issue. To perform exploits, an authorized Argo CD user must have push access to an Application's source git or Helm repository or `sync` and `override` access to an Application. Once a user has that access, different exploitation levels are possible depending on their other RBAC privileges. A patch for this vulnerability has been released in Argo CD versions 2.3.2, 2.2.8, and 2.1.14. Some mitigation measures are available but do not serve as a substitute for upgrading. To avoid privilege escalation, limit who has push access to Application source repositories or `sync` + `override` access to Applications; and limit which repositories are available in projects where users have `update` access to Applications. To avoid unauthorized resource inspection/tampering, limit who has `delete`, `get`, or `action` access to Applications.
Vulnerability category: Gain privilege
Products affected by CVE-2022-24768
- cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*
- cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*
- cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-24768
0.38%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 58 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-24768
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST | |
|
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST | |
|
9.9
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
3.1
|
6.0
|
GitHub, Inc. |
CWE ids for CVE-2022-24768
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: security-advisories@github.com (Secondary)
-
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.Assigned by: nvd@nist.gov (Primary)
-
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-24768
-
https://github.com/argoproj/argo-cd/releases/tag/v2.1.14
Release v2.1.14 · argoproj/argo-cd · GitHubRelease Notes;Third Party Advisory
-
https://github.com/argoproj/argo-cd/releases/tag/v2.2.8
Release v2.2.8 · argoproj/argo-cd · GitHubRelease Notes;Third Party Advisory
-
https://github.com/argoproj/argo-cd/commit/af03b291d4b7e9d3ce9a6580ae9c8141af0e05cf
Merge pull request from GHSA-2f5v-8r3f-8pww · argoproj/argo-cd@af03b29 · GitHubPatch;Third Party Advisory
-
https://github.com/argoproj/argo-cd/releases/tag/v2.3.2
Release v2.3.2 · argoproj/argo-cd · GitHubRelease Notes;Third Party Advisory
-
https://github.com/argoproj/argo-cd/security/advisories/GHSA-2f5v-8r3f-8pww
Improper access control allows admin privilege escalation · Advisory · argoproj/argo-cd · GitHubMitigation;Third Party Advisory
Jump to