CVE-2022-24730 Information
Description
Argo CD is a declarative GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 1.3.0 but before versions 2.1.11 2.2.6 and 2.3.0 is vulnerable to a path traversal bug compounded by an improper access control bug allowing a malicious user with read-only repository access to leak sensitive files from Argo CD’s repo-server. A malicious Argo CD user who has been granted get access for a repository containing a Helm chart can craft an API request to the /api/v1/repositories/repo_url/appdetails endpoint to leak the contents of out-of-bounds files from the repo-server. The malicious payload would reference an out-of-bounds file and the contents of that file would be returned as part of the response. Contents from a non-YAML file may be returned as part of an error message. The attacker would have to know or guess the location of the target file. Sensitive files which could be leaked include files from other Applications’ source repositories or any secrets which have been mounted as files on the repo-server. This vulnerability is patched in Argo CD versions 2.1.11 2.2.6 and 2.3.0. The patches prevent path traversal and limit access to users who either A) have been granted Application create privileges or B) have been granted Application get privileges and are requesting details for a repo_url that has already been used for the given Application. There are currently no known workarounds.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Reference
https://github.com/argoproj/argo-cd/security/advisories/GHSA-r9cr-hvjj-496v
Argo
CD
is
a
declarative
GitOps
continuous
delivery
tool
for
Kubernetes.
Argo
CD
starting
with
version
1.3.0
but
before
versions
2.1.11
2.2.6
and
2.3.0
is
vulnerable
to
a
path
traversal
bug
compounded
by
an
improper
access
control
bug
allowing
a
malicious
user
with
read-only
repository
access
to
leak
sensitive
files
from
Argo
CD’s
repo-server.
A
malicious
Argo
CD
user
who
has
been
granted
get
access
for
a
repository
containing
a
Helm
chart
can
craft
an
API
request
to
the
/api/v1/repositories/{repo_url}/appdetails
endpoint
to
leak
the
contents
of
out-of-bounds
files
from
the
repo-server.
The
malicious
payload
would
reference
an
out-of-bounds
file
and
the
contents
of
that
file
would
be
returned
as
part
of
the
response.
Contents
from
a
non-YAML
file
may
be
returned
as
part
of
an
error
message.
The
attacker
would
have
to
know
or
guess
the
location
of
the
target
file.
Sensitive
files
which
could
be
leaked
include
files
from
other
Applications'
source
repositories
or
any
secrets
which
have
been
mounted
as
files
on
the
repo-server.
This
vulnerability
is
patched
in
Argo
CD
versions
2.1.11
2.2.6
and
2.3.0.
The
patches
prevent
path
traversal
and
limit
access
to
users
who
either
A)
have
been
granted
Application
create
privileges
or
B)
have
been
granted
Application
get
privileges
and
are
requesting
details
for
a
repo_url
that
has
already
been
used
for
the
given
Application.
There
are
currently
no
known
workarounds.
Attack Complexity
LOW
Privileges Required
LOW
User Interaction Required
LOW
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
HIGH
Availability Impact
NONE
Base Score
NONE
Base Severity
6.5
Share on: