4.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-24905

GHSA ID

GHSA-xmg8-99r8-jc2j

EPSS Score

0.59456%

CWE

CWE-20

Published

5/24/2022

Updated

1/27/2023

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-24905

CVE-2022-24905: Login screen allows message spoofing if SSO is enabled

Impact

A vulnerability was found in Argo CD that allows an attacker to spoof error messages on the login screen when SSO is enabled.

In order to exploit this vulnerability, an attacker would have to trick the victim to visit a specially crafted URL which contains the message to be displayed.

As far as the research of the Argo CD team concluded, it is not possible to specify any active content (e.g. Javascript) or other HTML fragments (e.g. clickable links) in the spoofed message.

Patched versions

A patch for this vulnerability has been released in the following Argo CD versions:

v2.3.4
v2.2.9
v2.1.15

Workarounds

No workaround available.

Mitigations

It is advised to update to an Argo CD version containing a fix for this issue (see Patched versions above).

Credits

This vulnerability was discovered by Naufal Septiadi (naufal@horangi.com) and reported to us in a responsible way.

For more information

Open an issue in the Argo CD issue tracker or discussions
Join us on Slack in channel #argo-cd

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-24905

CVE-2022-24905:

4.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-24905

GHSA ID

GHSA-xmg8-99r8-jc2j

EPSS Score

0.59456%

CWE

CWE-20

Published

5/24/2022

Updated

1/27/2023

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/argoproj/argo-cd/v2	go	>= 2.3.0, < 2.3.4	2.3.4
github.com/argoproj/argo-cd/v2	go	>= 2.2.0, < 2.2.9	2.2.9
github.com/argoproj/argo-cd/v2	go	>= 2.0.0, < 2.1.15	2.1.15
github.com/argoproj/argo-cd	go	<= 1.8.7	2.1.15

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key points:

Backend (dex.go): The reverse proxy handler extracted error messages from Dex responses using insecure regex parsing and reflected them in redirect URLs via sso_error parameter without validation.
Frontend (login.tsx): The React component directly consumed sso_error URL parameter values for display without sanitization.

Both functions would appear in runtime traces during exploitation - the backend function when processing SSO errors, and the frontend function when rendering spoofed messages from crafted URLs. The patches fundamentally change both locations to eliminate message injection vectors.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-24905: Login screen allows message spoofing if SSO is enabled

Impact

Patched versions

Workarounds

Mitigations

Credits

For more information

CVE-2022-24905:

4.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2022-24905: Login screen allows message spoofing if SSO is enabled

Impact

Patched versions

Workarounds

Mitigations

Credits

For more information

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

4.3

4.3

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI