一、漏洞简介¶

1.1 漏洞背景¶

2023 年初，ArgoCD 被发现存在 OIDC（OpenID Connect）令牌验证缺陷，允许攻击者使用为其他服务签发的 JWT 令牌访问 ArgoCD。

1.2 漏洞概述（包含 CVE 编号、危害等级、漏洞类型、披露时间等）¶

项目	内容
漏洞编号	CVE-2023-22482
危害等级	CRITICAL / 9.0
漏洞类型	JWT Audience 验证缺失漏洞
披露时间	2023-01-26
影响组件	ArgoCD

CVE编号: CVE-2023-22482
危害等级: 高（High）
CVSS评分: 8.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
漏洞类型: 授权不当（Incorrect Authorization）/ 认证绕过

补充核验信息：公开时间：2023-01-26；NVD 评分：9.0（CRITICAL）；CWE：CWE-863。

二、影响范围¶

2.1 受影响的版本¶

ArgoCD >= 1.8.2 且 < 2.3.14
ArgoCD >= 2.4.0 且 < 2.4.20
ArgoCD >= 2.5.0 且 < 2.5.8
ArgoCD >= 2.6.0-rc1 且 < 2.6.0-rc5

2.2 不受影响的版本¶

ArgoCD >= 2.3.14
ArgoCD >= 2.4.20
ArgoCD >= 2.5.8
ArgoCD >= 2.6.0-rc5
ArgoCD < 1.8.2

2.3 触发条件（如特定模块、特定配置、特定运行环境等）¶

OIDC 集成：ArgoCD 配置了 OIDC 身份提供者
多服务共享 OIDC：同一个 OIDC 提供者同时服务 ArgoCD 和其他应用
令牌复用：攻击者获取了为其他服务签发的有效令牌
组声明存在：令牌中包含 ArgoCD 会信任的组声明

三、漏洞详情与原理解析¶

3.1 漏洞触发机制¶

OIDC 提供者会在签发的令牌中包含 aud（audience）声明，指定令牌的预期接收者。ArgoCD 虽然验证了令牌的签名，但未验证 audience 声明，导致令牌可以在不同服务间复用。

正常流程：

用户 -> OIDC Provider -> 获取 ArgoCD 令牌 (aud=argocd) -> 访问 ArgoCD ✓

漏洞利用流程：

攻击者 -> OIDC Provider -> 获取其他服务令牌 (aud=other-service) -> 访问 ArgoCD ✓

3.2 源码层面的根因分析（结合源码与补丁对比）¶

受影响的代码：

```go // util/oidc/oidc.go (漏洞版本)

func (o OIDC) VerifyToken(tokenString string) (jwt.MapClaims, error) { // 验证签名 token, err := jwt.Parse(tokenString, func(token jwt.Token) (interface{}, error) { if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok { return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"]) } return o.publicKey, nil })

if err != nil {
    return nil, err
}

claims, ok := token.Claims.(jwt.MapClaims)
if !ok || !token.Valid {
    return nil, fmt.Errorf("invalid token")
}

// 问题：未验证 audience (aud) 声明
// ArgoCD 直接信任令牌中的所有声明

// 仅验证签名和基本声明
if err := claims.Valid(); err != nil {
    return nil, err
}

// 提取用户信息，包括组声明
groups := o.extractGroups(claims)

return claims, nil

}

func (o *OID

四、漏洞复现（可选）¶

4.1 环境搭建¶

暂无公开可验证复现信息。

4.2 PoC 演示与测试过程¶

暂无公开可验证复现信息。

五、修复建议与缓解措施¶

5.1 官方版本升级建议¶

优先升级到 2.3.14 或同等后续安全版本。
优先升级到 2.4.20 或同等后续安全版本。
优先升级到 2.5.8 或同等后续安全版本。
升级前请结合官方发布说明确认兼容性与回滚方案。

5.2 临时缓解方案（如修改配置文件、关闭相关模块、增加 WAF 规则等）¶

立即启用鉴权、轮换默认凭据或密钥，并限制管理接口仅对可信网段开放。
为高风险接口增加 IP 白名单、ACL 或反向代理访问控制。

六、参考信息 / 参考链接¶

6.1 官方安全通告¶

https://github.com/argoproj/argo-cd/security/advisories/GHSA-q9hr-j4rf-8fjc

6.2 其他技术参考资料¶

NVD：https://nvd.nist.gov/vuln/detail/CVE-2023-22482
CVE：https://www.cve.org/CVERecord?id=CVE-2023-22482
https://github.com/argoproj/argo-cd/security/advisories/GHSA-q9hr-j4rf-8fjc

<hr />

ArgoCD ???????CVE-2022-31105?¶

??????¶

1.1 ????¶

ArgoCD ???????????? CVE-2022-31105 ??????????????????????? HIGH?CVSS 8.3?

1.2 ??????? CVE ???????????????????¶

??	??
????	CVE-2022-31105
????	HIGH
CVSS ??	8.3
????	CWE-295?CWE-599
????	2022-07-12
????	ArgoCD

??????¶

2.1 ??????¶

argoproj:argo_cd:*, >= 2.3.0, < 2.3.6
argoproj:argo_cd:*, >= 2.4.0, < 2.4.5
linuxfoundation:argo-cd:*, >= 0.4.0, < 2.2.11

2.2 ???????¶

NVD / CISA ????????????????????????????????????????

2.3 ????????????????????????¶

????????????????????????
?????????????????????????????????????

???????????¶

3.1 ??????¶

NVD ?????Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.4.0 and prior to 2.2.11, 2.3.6, and 2.4.5 is vulnerable to an improper certificate validation bug which could cause Argo CD to trust a malicious (or otherwise untrustworthy) OpenID Connect (OIDC) provider. A pat...
??????????????????????????? PoC ???

3.2 ????????????????????¶

?????????????CWE-295?CWE-599?
NVD / CISA ???????????? diff???????????????????????????????

??????????¶

4.1 ????¶

??????????????????????????????????????????

4.2 PoC ???????¶

? CISA KEV ????????????????? KEV ????? PoC?
??????????????????????????????????????????

???????????¶

5.1 ????????¶

???????????????????????????
??????????????????????????????????????

5.2 ????????????????????????????¶

??????????????????????
???????????????????????? WAF ???
????????????????????????????

?????? / ????¶

https://nvd.nist.gov/vuln/detail/CVE-2022-31105
https://www.cve.org/CVERecord?id=CVE-2022-31105
https://github.com/argoproj/argo-cd/releases/tag/v2.3.6
https://github.com/argoproj/argo-cd/releases/tag/v2.4.5
https://github.com/argoproj/argo-cd/security/advisories/GHSA-7943-82jg-wmw5

<hr />

ArgoCD ???????CVE-2023-40029?¶

??????¶

1.1 ????¶

ArgoCD ???????????? CVE-2023-40029 ??????????????????????? CRITICAL?CVSS 9.9?

1.2 ??????? CVE ???????????????????¶

??	??
????	CVE-2023-40029
????	CRITICAL
CVSS ??	9.9
????	CWE-200?CWE-532
????	2023-09-07
????	ArgoCD

??????¶

2.1 ??????¶

argoproj:argo_cd:*, >= 2.2.0, < 2.6.15
argoproj:argo_cd:*, >= 2.7.0, < 2.7.14
argoproj:argo_cd:*, >= 2.8.0, < 2.8.3

2.2 ???????¶

NVD / CISA ????????????????????????????????????????

2.3 ????????????????????????¶

????????????????????????
?????????????????????????????????????

???????????¶

3.1 ??????¶

NVD ?????Argo CD is a declarative continuous deployment for Kubernetes. Argo CD Cluster secrets might be managed declaratively using Argo CD / kubectl apply. As a result, the full secret body is stored inkubectl.kubernetes.io/last-applied-configuration annotation. pull request #7139 introduced the ability to manage cluster...
??????????????????????????? PoC ???

3.2 ????????????????????¶

?????????????CWE-200?CWE-532?
NVD / CISA ???????????? diff???????????????????????????????

??????????¶

4.1 ????¶

??????????????????????????????????????????

4.2 PoC ???????¶

? CISA KEV ????????????????? KEV ????? PoC?
??????????????????????????????????????????

???????????¶

5.1 ????????¶

???????????????????????????
??????????????????????????????????????

5.2 ????????????????????????????¶

??????????????????????
???????????????????????? WAF ???
????????????????????????????

?????? / ????¶

https://nvd.nist.gov/vuln/detail/CVE-2023-40029
https://www.cve.org/CVERecord?id=CVE-2023-40029
https://github.com/argoproj/argo-cd/commit/4b2e5b06bff2ffd8ed1970654ddd8e55fc4a41c4
https://github.com/argoproj/argo-cd/pull/7139
https://github.com/argoproj/argo-cd/security/advisories/GHSA-fwr2-64vr-xv9m

<hr />

ArgoCD ???????CVE-2024-21652?¶

??????¶

1.1 ????¶

ArgoCD ???????????? CVE-2024-21652 ??????????????????????? CRITICAL?CVSS 9.8?

1.2 ??????? CVE ???????????????????¶

??	??
????	CVE-2024-21652
????	CRITICAL
CVSS ??	9.8
????	CWE-307
????	2024-03-18
????	ArgoCD

??????¶

2.1 ??????¶

argoproj:argo_cd:*, < 2.8.13
argoproj:argo_cd:*, >= 2.9.0, < 2.9.9
argoproj:argo_cd:*, >= 2.10.0, < 2.10.4

2.2 ???????¶

NVD / CISA ????????????????????????????????????????

2.3 ????????????????????????¶

????????????????????????
?????????????????????????????????????

???????????¶

3.1 ??????¶

NVD ?????Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a chain of vulnerabilities, including a Denial of Service (DoS) flaw and in-memory data storage weakness, to effectively bypass the application's brute force login protection...
??????????????????????????? PoC ???

3.2 ????????????????????¶

?????????????CWE-307?
NVD / CISA ???????????? diff???????????????????????????????

??????????¶

4.1 ????¶

??????????????????????????????????????????

4.2 PoC ???????¶

? CISA KEV ????????????????? KEV ????? PoC?
??????????????????????????????????????????

???????????¶

5.1 ????????¶

???????????????????????????
??????????????????????????????????????

5.2 ????????????????????????????¶

??????????????????????
???????????????????????? WAF ???
????????????????????????????

?????? / ????¶

https://nvd.nist.gov/vuln/detail/CVE-2024-21652
https://www.cve.org/CVERecord?id=CVE-2024-21652
https://github.com/argoproj/argo-cd/security/advisories/GHSA-x32m-mvfj-52xv

<hr />

ArgoCD ???????CVE-2024-21662?¶

??????¶

1.1 ????¶

ArgoCD ???????????? CVE-2024-21662 ??????????????????????? HIGH?CVSS 7.5?

1.2 ??????? CVE ???????????????????¶

??	??
????	CVE-2024-21662
????	HIGH
CVSS ??	7.5
????	CWE-307
????	2024-03-18
????	ArgoCD

??????¶

2.1 ??????¶

argoproj:argo_cd:*, < 2.8.13
argoproj:argo_cd:*, >= 2.9.0, < 2.9.9
argoproj:argo_cd:*, >= 2.10.0, < 2.10.4

2.2 ???????¶

NVD / CISA ????????????????????????????????????????

2.3 ????????????????????????¶

????????????????????????
?????????????????????????????????????

???????????¶

3.1 ??????¶

NVD ?????Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can effectively bypass the rate limit and brute force protections by exploiting the application's weak cache-based mechanism. This loophole in security can be combined with other vulnera...
??????????????????????????? PoC ???

3.2 ????????????????????¶

?????????????CWE-307?
NVD / CISA ???????????? diff???????????????????????????????

??????????¶

4.1 ????¶

??????????????????????????????????????????

4.2 PoC ???????¶

? CISA KEV ????????????????? KEV ????? PoC?
??????????????????????????????????????????

???????????¶

5.1 ????????¶

???????????????????????????
??????????????????????????????????????

5.2 ????????????????????????????¶

??????????????????????
???????????????????????? WAF ???
????????????????????????????

?????? / ????¶

https://nvd.nist.gov/vuln/detail/CVE-2024-21662
https://www.cve.org/CVERecord?id=CVE-2024-21662
https://argo-cd.readthedocs.io/en/stable/security_considerations/#cve-2020-8827-insufficient-anti-automationanti-brute-force
https://github.com/argoproj/argo-cd/commit/17b0df1168a4c535f6f37e95f25ed7cd81e1fa4d
https://github.com/argoproj/argo-cd/commit/6e181d72b31522f886a2afa029d5b26d7912ec7b
https://github.com/argoproj/argo-cd/commit/cebb6538f7944c87ca2fecb5d17f8baacc431456
https://github.com/argoproj/argo-cd/security/advisories/GHSA-2vgg-9h6w-m454

<hr />

ArgoCD ???????CVE-2024-31989?¶

??????¶

1.1 ????¶

ArgoCD ???????????? CVE-2024-31989 ??????????????????????? CRITICAL?CVSS 9.0?

1.2 ??????? CVE ???????????????????¶

??	??
????	CVE-2024-31989
????	CRITICAL
CVSS ??	9.0
????	CWE-327
????	2024-05-21
????	ArgoCD

??????¶

2.1 ??????¶

argoproj:argo_cd:*, < 2.8.19
argoproj:argo_cd:*, >= 2.9.0, < 2.9.15
argoproj:argo_cd:*, >= 2.10.0, < 2.10.10
argoproj:argo_cd:*, >= 2.11.0, < 2.11.1

2.2 ???????¶

NVD / CISA ????????????????????????????????????????

2.3 ????????????????????????¶

????????????????????????
?????????????????????????????????????

???????????¶

3.1 ??????¶

NVD ?????Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It has been discovered that an unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379. Despite having installed the latest version of the VPC CNI plugin on the EKS cluster, it requires manu...
??????????????????????????? PoC ???

3.2 ????????????????????¶

?????????????CWE-327?
NVD / CISA ???????????? diff???????????????????????????????

??????????¶

4.1 ????¶

??????????????????????????????????????????

4.2 PoC ???????¶

? CISA KEV ????????????????? KEV ????? PoC?
??????????????????????????????????????????

???????????¶

5.1 ????????¶

???????????????????????????
??????????????????????????????????????

5.2 ????????????????????????????¶

??????????????????????
???????????????????????? WAF ???
????????????????????????????

?????? / ????¶

https://nvd.nist.gov/vuln/detail/CVE-2024-31989
https://www.cve.org/CVERecord?id=CVE-2024-31989
https://github.com/argoproj/argo-cd/commit/2de0ceade243039c120c28374016c04ff9590d1d
https://github.com/argoproj/argo-cd/commit/35a7d6c7fa1534aceba763d6a68697f36c12e678
https://github.com/argoproj/argo-cd/commit/4e2fe302c3352a0012ecbe7f03476b0e07f7fc6c
https://github.com/argoproj/argo-cd/commit/53570cbd143bced49d4376d6e31bd9c7bd2659ff
https://github.com/argoproj/argo-cd/commit/6ef7b62a0f67e74b4aac2aee31c98ae49dd95d12
https://github.com/argoproj/argo-cd/commit/9552034a80070a93a161bfa330359585f3b85f07