SCA: security update for github.com/argoproj/argo-cd (GHSA-7943-82jg-wmw5)

critical Tenable Cloud Security Plugin ID 411955

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version
0.4.0 and prior to 2.2.11, 2.3.6, and 2.4.5 is vulnerable to an improper certificate validation bug which
could cause Argo CD to trust a malicious (or otherwise untrustworthy) OpenID Connect (OIDC) provider. A
patch for this vulnerability has been released in Argo CD versions 2.4.5, 2.3.6, and 2.2.11. There are no
complete workarounds, but a partial workaround is available. Those who use an external OIDC provider (not
the bundled Dex instance), can mitigate the issue by setting the `oidc.config.rootCA` field in the
`argocd-cm` ConfigMap. This mitigation only forces certificate validation when the API server handles
login flows. It does not force certificate verification when verifying tokens on API calls.
(CVE-2022-31105)

See Also

https://github.com/advisories/GHSA-7943-82jg-wmw5

Plugin Details

Severity: Critical

ID: 411955

Version: Revision 1.8

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 95.11

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 5.1

Temporal Score: 3.8

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2022-31105

CVSS v3

Risk Factor: Critical

Base Score: 9.6

Temporal Score: 8.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 7/12/2022

Vulnerability Publication Date: 7/12/2022

Reference Information

CVE: CVE-2022-31105

cwe: CWE-295