CVE-2022-24730
published 2022-03-23CVE-2022-24730: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 1.3.0 but before versions 2.1.11, 2.2.6, and 2.3.0 is…
PriorityP338medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.86%
53.9th percentile
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 1.3.0 but before versions 2.1.11, 2.2.6, and 2.3.0 is vulnerable to a path traversal bug, compounded by an improper access control bug, allowing a malicious user with read-only repository access to leak sensitive files from Argo CD's repo-server. A malicious Argo CD user who has been granted `get` access for a repository containing a Helm chart can craft an API request to the `/api/v1/repositories/{repo_url}/appdetails` endpoint to leak the contents of out-of-bounds files from the repo-server. The malicious payload would reference an out-of-bounds file, and the contents of that file would be returned as part of the response. Contents from a non-YAML file may be returned as part of an error message. The attacker would have to know or guess the location of the target file. Sensitive files which could be leaked include files from other Applications' source repositories or any secrets which have been mounted as files on the repo-server. This vulnerability is patched in Argo CD versions 2.1.11, 2.2.6, and 2.3.0. The patches prevent path traversal and limit access to users who either A) have been granted Application `create` privileges or B) have been granted Application `get` privileges and are requesting details for a `repo_url` that has already been used for the given Application. There are currently no known workarounds.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| argoproj | argo-cd | — | — |
| argoproj | argo-cd | — | — |
| argoproj | argo-cd | — | — |
| argoproj | argo_cd | — | — |
| argoproj | argo_cd | >= 1.3.0 < 2.1.11 | 2.1.11 |
| argoproj | argo_cd | >= 2.2.0 < 2.2.6 | 2.2.6 |
| github.com | argoproj_argo-cd | >= 1.3.0 < 2.1.11 | 2.1.11 |
| github.com | argoproj_argo-cd | >= 1.3.0 | — |
| github.com | argoproj_argo-cd | >= 2.2.0 < 2.2.6 | 2.2.6 |
| github.com | argoproj_argo-cd | >= 2.3.0-rc1 < 2.3.0 | 2.3.0 |
| github.com | argoproj_argo-cd_v2 | >= 0 < 2.1.11 | 2.1.11 |
| github.com | argoproj_argo-cd_v2 | >= 2.2.0 < 2.2.6 | 2.2.6 |
| github.com | argoproj_argo-cd_v2 | >= 2.3.0-rc1 < 2.3.0 | 2.3.0 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
vendor_redhat7.7HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Path traversal and improper access control allows leaking out-of-bound files from Argo CD repo-server in github.com/argoproj/argo-cd
osv·2024-08-21
CVE-2022-24730 Path traversal and improper access control allows leaking out-of-bound files from Argo CD repo-server in github.com/argoproj/argo-cd
Path traversal and improper access control allows leaking out-of-bound files from Argo CD repo-server in github.com/argoproj/argo-cd
Path traversal and improper access control allows leaking out-of-bound files from Argo CD repo-server in github.com/argoproj/argo-cd
OSV
Path traversal and improper access control allows leaking out-of-bound files from Argo CD repo-server
osv·2022-03-24
CVE-2022-24730 [HIGH] Path traversal and improper access control allows leaking out-of-bound files from Argo CD repo-server
Path traversal and improper access control allows leaking out-of-bound files from Argo CD repo-server
### Impact
All unpatched versions of Argo CD starting with v1.3.0 are vulnerable to a path traversal bug, compounded by an improper access control bug, allowing a malicious user with read-only repository access to leak sensitive files from Argo CD's repo-server.
A malicious Argo CD user who has been granted [`get` access for a repository](https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/#rbac-resources-and-actions) containing a Helm chart can craft an API request to the `/api/v1/repositories/{repo_url}/appdetails` endpoint to leak the contents of out-of-bounds files from the repo-server.
The malicious payload would reference an out-of-bounds file, and the contents of that
GHSA
Path traversal and improper access control allows leaking out-of-bound files from Argo CD repo-server
ghsa·2022-03-24
CVE-2022-24730 [HIGH] CWE-22 Path traversal and improper access control allows leaking out-of-bound files from Argo CD repo-server
Path traversal and improper access control allows leaking out-of-bound files from Argo CD repo-server
### Impact
All unpatched versions of Argo CD starting with v1.3.0 are vulnerable to a path traversal bug, compounded by an improper access control bug, allowing a malicious user with read-only repository access to leak sensitive files from Argo CD's repo-server.
A malicious Argo CD user who has been granted [`get` access for a repository](https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/#rbac-resources-and-actions) containing a Helm chart can craft an API request to the `/api/v1/repositories/{repo_url}/appdetails` endpoint to leak the contents of out-of-bounds files from the repo-server.
The malicious payload would reference an out-of-bounds file, and the contents of that
Red Hat
argocd: path traversal and improper access control allows leaking out-of-bound files
vendor_redhat·2022-03-22·CVSS 7.7
CVE-2022-24730 [HIGH] CWE-22 argocd: path traversal and improper access control allows leaking out-of-bound files
argocd: path traversal and improper access control allows leaking out-of-bound files
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 1.3.0 but before versions 2.1.11, 2.2.6, and 2.3.0 is vulnerable to a path traversal bug, compounded by an improper access control bug, allowing a malicious user with read-only repository access to leak sensitive files from Argo CD's repo-server. A malicious Argo CD user who has been granted `get` access for a repository containing a Helm chart can craft an API request to the `/api/v1/repositories/{repo_url}/appdetails` endpoint to leak the contents of out-of-bounds files from the repo-server. The malicious payload would reference an out-of-bounds file, and the contents of that file would be returned as
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
CWE
Improper Authorization
mitre_cwe
CWE-285 Improper Authorization
CWE-285: Improper Authorization
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Background: An access control list (ACL) represents who/what has permissions to a given object. Different operating systems implement (ACLs) in different ways. In UNIX, there are three types of permissions: read, write, and execute. Users are divided into three classes for file access: owner, group owner, and all other users where each class has a separate set of rights. In Windows NT, there are four basic types of permissions for files: "No access", "Read access", "Change access", and "Full control". Windows NT extends the concept of three types of users in UNIX to include a list of users and groups along with their
CWE
Missing Authorization
mitre_cwe
CWE-862 Missing Authorization
CWE-862: Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Background: An access control list (ACL) represents who/what has permissions to a given object. Different operating systems implement (ACLs) in different ways. In UNIX, there are three types of permissions: read, write, and execute. Users are divided into three classes for file access: owner, group owner, and all other users where each class has a separate set of rights. In Windows NT, there are four basic types of permissions for files: "No access", "Read access", "Change access", and "Full control". Windows NT extends the concept of three types of users in UNIX to include a list of users and groups along with their associated permissions.
2022-03-23
Published