Closed bigkevmcd closed 1 year ago
@souleb please note that @mestadler has nominated you as Vulnerability Manager on this one. Slack thread with context for ya: https://weaveworks.slack.com/archives/CLNECSKPD/p1675269116678369?thread_ts=1675177301.542889&cid=CLNECSKPD
We were delegating to go-oidc for this, so we weren't vulnerable to the same issue.
Report
This section to be completed to report a potential vulnerability.
Describe
We aren't verifying the
aud
claim from the JWT token.References
https://github.com/argoproj/argo-cd/security/advisories/GHSA-q9hr-j4rf-8fjc
Handling
If you are reporting a potential vulnerability, you could ignore this section. It is intended to be managed by a Vulnerability Manager