CVE-2022-24730
Path traversal and improper access control allows leaking out-of-bound files from Argo CD repo-server
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 1.3.0 but before versions 2.1.11, 2.2.6, and 2.3.0 is vulnerable to a path traversal bug, compounded by an improper access control bug, allowing a malicious user with read-only repository access to leak sensitive files from Argo CD's repo-server. A malicious Argo CD user who has been granted `get` access for a repository containing a Helm chart can craft an API request to the `/api/v1/repositories/{repo_url}/appdetails` endpoint to leak the contents of out-of-bounds files from the repo-server. The malicious payload would reference an out-of-bounds file, and the contents of that file would be returned as part of the response. Contents from a non-YAML file may be returned as part of an error message. The attacker would have to know or guess the location of the target file. Sensitive files which could be leaked include files from other Applications' source repositories or any secrets which have been mounted as files on the repo-server. This vulnerability is patched in Argo CD versions 2.1.11, 2.2.6, and 2.3.0. The patches prevent path traversal and limit access to users who either A) have been granted Application `create` privileges or B) have been granted Application `get` privileges and are requesting details for a `repo_url` that has already been used for the given Application. There are currently no known workarounds.
Argo CD es una herramienta declarativa de entrega continua GitOps para Kubernetes. Argo CD a partir de la versión 1.3.0 pero antes de las versiones 2.1.11, 2.2.6 y 2.3.0 es vulnerable a un fallo de salto de ruta, agravado por un fallo de control de acceso inapropiado, que permite a un usuario malicioso con acceso al repositorio de sólo lectura filtrar archivos confidenciales del repo-servidor de Argo CD. Un usuario malicioso de Argo CD al que le haya sido concedido acceso "get" para un repositorio que contenga un gráfico de Helm puede diseñar una petición de API al endpoint "/api/v1/repositories/{repo_url}/appdetails" para filtrar el contenido de archivos fuera de límites del servidor de repositorios. La carga útil maliciosa haría referencia a un archivo fuera de límites, y el contenido de ese archivo sería devuelto como parte de la respuesta. El contenido de un archivo no YAML puede ser devuelto como parte de un mensaje de error. El atacante tendría que conocer o adivinar la ubicación del archivo de destino. Los archivos confidenciales que podrían filtrarse incluyen archivos de los repositorios de fuentes de otras aplicaciones o cualquier secreto que haya sido montado como archivo en el servidor de repositorios. Esta vulnerabilidad está parcheada en las versiones 2.1.11, 2.2.6 y 2.3.0 de Argo CD. Los parches evitan el salto de ruta y limitan el acceso a usuarios que, o bien A) han recibido privilegios "create" de aplicaciones, o bien B) han recibido privilegios "get" de aplicaciones y están solicitando detalles para una "repo_url" que ya ha sido usada para la aplicación en cuestión. Actualmente no se presentan medidas de mitigación conocidas
A flaw was found in ArgoCD. This flaw allows an attacker with read-only repository access to leak files from the repo server that the attacker should not have access to. An attacker can send a crafted request to retrieve file contents. This issue results in the disclosure of sensitive information to an unauthorized actor and compromises data confidentiality.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-02-10 CVE Reserved
- 2022-03-23 CVE Published
- 2024-08-03 CVE Updated
- 2024-09-18 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-284: Improper Access Control
- CWE-863: Incorrect Authorization
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| https://github.com/argoproj/argo-cd/security/advisories/GHSA-r9cr-hvjj-496v | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2022-24730 | 2022-03-23 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2062751 | 2022-03-23 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linuxfoundation Search vendor "Linuxfoundation" | Argo-cd Search vendor "Linuxfoundation" for product "Argo-cd" | >= 1.3.0 < 2.1.11 Search vendor "Linuxfoundation" for product "Argo-cd" and version " >= 1.3.0 < 2.1.11" | - |
Affected
| ||||||
| Linuxfoundation Search vendor "Linuxfoundation" | Argo-cd Search vendor "Linuxfoundation" for product "Argo-cd" | >= 2.2.0 < 2.2.6 Search vendor "Linuxfoundation" for product "Argo-cd" and version " >= 2.2.0 < 2.2.6" | - |
Affected
| ||||||
| Linuxfoundation Search vendor "Linuxfoundation" | Argo-cd Search vendor "Linuxfoundation" for product "Argo-cd" | 2.3.0 Search vendor "Linuxfoundation" for product "Argo-cd" and version "2.3.0" | rc1 |
Affected
| ||||||
| Linuxfoundation Search vendor "Linuxfoundation" | Argo-cd Search vendor "Linuxfoundation" for product "Argo-cd" | 2.3.0 Search vendor "Linuxfoundation" for product "Argo-cd" and version "2.3.0" | rc2 |
Affected
| ||||||
| Linuxfoundation Search vendor "Linuxfoundation" | Argo-cd Search vendor "Linuxfoundation" for product "Argo-cd" | 2.3.0 Search vendor "Linuxfoundation" for product "Argo-cd" and version "2.3.0" | rc4 |
Affected
| ||||||
| Linuxfoundation Search vendor "Linuxfoundation" | Argo-cd Search vendor "Linuxfoundation" for product "Argo-cd" | 2.3.0 Search vendor "Linuxfoundation" for product "Argo-cd" and version "2.3.0" | rc5 |
Affected
| ||||||