Miggo Logo

CVE-2022-31105:
Argo CD certificate verification is skipped for connections to OIDC providers

8.4

CVSS Score
3.1

Basic Information

EPSS Score
0.30981%
Published
7/12/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/argoproj/argo-cdgo>= 0.4.0, < 2.2.112.2.11
github.com/argoproj/argo-cdgo>= 2.3.0, < 2.3.62.3.6
github.com/argoproj/argo-cdgo>= 2.4.0, < 2.4.52.4.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing TLS verification in 3 key OIDC interactions: 1) Discovery/config retrieval 2) JWKS key fetching 3) Token exchange. The pattern suggests HTTP client initialization functions for OIDC communication were not properly configuring TLS (InsecureSkipVerify=true or missing rootCA). The partial mitigation via rootCA configuration and the patch's addition of oidc.tls.insecure.skip.verify flag indicate these functions were previously hardcoded to skip verification. While exact function names aren't provided in advisories, the OIDC workflow components and Go's standard TLS configuration patterns make these entry points clear.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *ll v*rsions o* *r*o ** st*rtin* wit* v*.*.* *r* vuln*r**l* to *n improp*r **rti*i**t* v*li**tion *u* w*i** *oul* **us* *r*o ** to trust * m*li*ious (or ot**rwis* untrustwort*y) OI** provi**r. (Not*: *xt*rn*l OI** provi**r support w*s **

Reasoning

T** vuln*r**ility st*ms *rom missin* TLS v*ri*i**tion in * k*y OI** int*r**tions: *) *is*ov*ry/`*on*i*` r*tri*v*l *) JWKS k*y **t**in* *) Tok*n *x***n**. T** p*tt*rn su***sts `*TTP` *li*nt initi*liz*tion *un*tions *or OI** *ommuni**tion w*r* not prop