GMS-2023-136: JWT audience claim is not verified

January 25, 2023

All versions of Argo CD starting with v1.8.2 is vulnerable to an improper authorization bug causing the API to accept certain invalid tokens.

OIDC providers include an aud (audience) claim in signed tokens. The value of that claim specifies the intended audience(s) of the token (i.e. the service or services which are meant to accept the token).

References

github.com/advisories/GHSA-q9hr-j4rf-8fjc
github.com/argoproj/argo-cd/security/advisories/GHSA-q9hr-j4rf-8fjc

Code Behaviors & Features

Detect and mitigate GMS-2023-136 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →