CVE-2022-24731
Path traversal allows leaking out-of-bound files from Argo CD repo-server
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 1.5.0 but before versions 2.1.11, 2.2.6, and 2.3.0 is vulnerable to a path traversal vulnerability, allowing a malicious user with read/write access to leak sensitive files from Argo CD's repo-server. A malicious Argo CD user who has been granted `create` or `update` access to Applications can leak the contents of any text file on the repo-server. By crafting a malicious Helm chart and using it in an Application, the attacker can retrieve the sensitive file's contents either as part of the generated manifests or in an error message. The attacker would have to know or guess the location of the target file. Sensitive files which could be leaked include files from another Application's source repositories or any secrets which have been mounted as files on the repo-server. This vulnerability is patched in Argo CD versions 2.1.11, 2.2.6, and 2.3.0. The problem can be mitigated by avoiding storing secrets in git, avoiding mounting secrets as files on the repo-server, avoiding decrypting secrets into files on the repo-server, and carefully limiting who can `create` or `update` Applications.
Argo CD es una herramienta declarativa de entrega continua GitOps para Kubernetes. Argo CD a partir de la versión 1.5.0 pero antes de las versiones 2.1.11, 2.2.6 y 2.3.0 es susceptible a una vulnerabilidad de salto de ruta, que permite a un usuario malicioso con acceso de lectura/escritura filtrar archivos confidenciales desde el repo-servidor de Argo CD. Un usuario malicioso de Argo CD al que le haya sido concedido acceso "create" o "update" aplicaciones puede filtrar el contenido de cualquier archivo de texto en el servidor de repositorios. Al diseñando un gráfico Helm malicioso y usándolo en una Aplicación, el atacante puede recuperar el contenido del archivo confidencial como parte de los manifiestos generados o en un mensaje de error. El atacante tendría que conocer o adivinar la ubicación del archivo objetivo. Los archivos confidenciales que podrían filtrarse incluyen archivos de los repositorios de origen de otra aplicación o cualquier secreto que haya sido montado como archivo en el servidor de repositorios. Esta vulnerabilidad está parcheada en las versiones 2.1.11, 2.2.6 y 2.3.0 de Argo CD. El problema puede ser mitigado al evitar almacenar secretos en git, evitando montar secretos como archivos en el servidor de repo, evitando descifrar secretos en archivos en el servidor de repo, y limitando cuidadosamente quién puede "create" o "update" Aplicaciones
A path traversal flaw was found in ArgoCD. This flaw allows an attacker who has been granted create or update access to applications to leak the contents of any text file on the repo-server by crafting a malicious Helm chart. Such text files could include sensitive information that the attacker should not have access to, compromising data confidentiality.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-02-10 CVE Reserved
- 2022-03-23 CVE Published
- 2024-08-03 CVE Updated
- 2024-09-18 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- CWE-209: Generation of Error Message Containing Sensitive Information
- CWE-284: Improper Access Control
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| https://github.com/argoproj/argo-cd/security/advisories/GHSA-h6h5-6fmq-rh28 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2022-24731 | 2022-03-23 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2062755 | 2022-03-23 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linuxfoundation Search vendor "Linuxfoundation" | Argo-cd Search vendor "Linuxfoundation" for product "Argo-cd" | >= 1.5.0 < 2.1.11 Search vendor "Linuxfoundation" for product "Argo-cd" and version " >= 1.5.0 < 2.1.11" | - |
Affected
| ||||||
| Linuxfoundation Search vendor "Linuxfoundation" | Argo-cd Search vendor "Linuxfoundation" for product "Argo-cd" | >= 2.2.0 < 2.2.6 Search vendor "Linuxfoundation" for product "Argo-cd" and version " >= 2.2.0 < 2.2.6" | - |
Affected
| ||||||
| Linuxfoundation Search vendor "Linuxfoundation" | Argo-cd Search vendor "Linuxfoundation" for product "Argo-cd" | 2.3.0 Search vendor "Linuxfoundation" for product "Argo-cd" and version "2.3.0" | rc1 |
Affected
| ||||||
| Linuxfoundation Search vendor "Linuxfoundation" | Argo-cd Search vendor "Linuxfoundation" for product "Argo-cd" | 2.3.0 Search vendor "Linuxfoundation" for product "Argo-cd" and version "2.3.0" | rc2 |
Affected
| ||||||
| Linuxfoundation Search vendor "Linuxfoundation" | Argo-cd Search vendor "Linuxfoundation" for product "Argo-cd" | 2.3.0 Search vendor "Linuxfoundation" for product "Argo-cd" and version "2.3.0" | rc4 |
Affected
| ||||||
| Linuxfoundation Search vendor "Linuxfoundation" | Argo-cd Search vendor "Linuxfoundation" for product "Argo-cd" | 2.3.0 Search vendor "Linuxfoundation" for product "Argo-cd" and version "2.3.0" | rc5 |
Affected
| ||||||