CVE-2022-24731
published 2022-03-23CVE-2022-24731: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 1.5.0 but before versions 2.1.11, 2.2.6, and 2.3.0 is…
PriorityP428medium4.9CVSS 3.1
AVNACLPRHUINSUCHINAN
EPSS
0.92%
55.9th percentile
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 1.5.0 but before versions 2.1.11, 2.2.6, and 2.3.0 is vulnerable to a path traversal vulnerability, allowing a malicious user with read/write access to leak sensitive files from Argo CD's repo-server. A malicious Argo CD user who has been granted `create` or `update` access to Applications can leak the contents of any text file on the repo-server. By crafting a malicious Helm chart and using it in an Application, the attacker can retrieve the sensitive file's contents either as part of the generated manifests or in an error message. The attacker would have to know or guess the location of the target file. Sensitive files which could be leaked include files from another Application's source repositories or any secrets which have been mounted as files on the repo-server. This vulnerability is patched in Argo CD versions 2.1.11, 2.2.6, and 2.3.0. The problem can be mitigated by avoiding storing secrets in git, avoiding mounting secrets as files on the repo-server, avoiding decrypting secrets into files on the repo-server, and carefully limiting who can `create` or `update` Applications.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| argoproj | argo-cd | — | — |
| argoproj | argo-cd | — | — |
| argoproj | argo-cd | — | — |
| argoproj | argo_cd | — | — |
| argoproj | argo_cd | >= 1.5.0 < 2.1.11 | 2.1.11 |
| argoproj | argo_cd | >= 2.2.0 < 2.2.6 | 2.2.6 |
| github.com | argoproj_argo-cd | >= 1.5.0 < 2.1.11 | 2.1.11 |
| github.com | argoproj_argo-cd | >= 1.5.0 | — |
| github.com | argoproj_argo-cd | >= 2.2.0 < 2.2.6 | 2.2.6 |
| github.com | argoproj_argo-cd | >= 2.3.0-rc1 < 2.3.0 | 2.3.0 |
| github.com | argoproj_argo-cd_v2 | >= 0 < 2.1.11 | 2.1.11 |
| github.com | argoproj_argo-cd_v2 | >= 2.2.0 < 2.2.6 | 2.2.6 |
| github.com | argoproj_argo-cd_v2 | >= 2.3.0-rc1 < 2.3.0 | 2.3.0 |
CVSS provenance
nvdv3.14.9MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
vendor_redhat6.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Path traversal allows leaking out-of-bound files from Argo CD repo-server in github.com/argoproj/argo-cd
osv·2024-08-21
CVE-2022-24731 Path traversal allows leaking out-of-bound files from Argo CD repo-server in github.com/argoproj/argo-cd
Path traversal allows leaking out-of-bound files from Argo CD repo-server in github.com/argoproj/argo-cd
Path traversal allows leaking out-of-bound files from Argo CD repo-server in github.com/argoproj/argo-cd
OSV
Path traversal allows leaking out-of-bound files from Argo CD repo-server
osv·2022-03-24
CVE-2022-24731 [MEDIUM] Path traversal allows leaking out-of-bound files from Argo CD repo-server
Path traversal allows leaking out-of-bound files from Argo CD repo-server
### Impact
All unpatched versions of Argo CD starting with v1.5.0 are vulnerable to a path traversal vulnerability allowing a malicious user with read/write access to leak sensitive files from Argo CD's repo-server.
A malicious Argo CD user who has been granted [`create` or `update` access to Applications](https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/#rbac-resources-and-actions) can leak the contents of any text file on the repo-server. By crafting a malicious Helm chart and using it in an Application, the attacker can retrieve the sensitive file's contents either as part of the generated manifests or in an error message. The attacker would have to know or guess the location of the target file.
S
GHSA
Path traversal allows leaking out-of-bound files from Argo CD repo-server
ghsa·2022-03-24
CVE-2022-24731 [MEDIUM] CWE-209 Path traversal allows leaking out-of-bound files from Argo CD repo-server
Path traversal allows leaking out-of-bound files from Argo CD repo-server
### Impact
All unpatched versions of Argo CD starting with v1.5.0 are vulnerable to a path traversal vulnerability allowing a malicious user with read/write access to leak sensitive files from Argo CD's repo-server.
A malicious Argo CD user who has been granted [`create` or `update` access to Applications](https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/#rbac-resources-and-actions) can leak the contents of any text file on the repo-server. By crafting a malicious Helm chart and using it in an Application, the attacker can retrieve the sensitive file's contents either as part of the generated manifests or in an error message. The attacker would have to know or guess the location of the target file.
S
Red Hat
argocd: path traversal allows leaking out-of-bound files
vendor_redhat·2022-03-22·CVSS 6.8
CVE-2022-24731 [MEDIUM] CWE-22 argocd: path traversal allows leaking out-of-bound files
argocd: path traversal allows leaking out-of-bound files
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 1.5.0 but before versions 2.1.11, 2.2.6, and 2.3.0 is vulnerable to a path traversal vulnerability, allowing a malicious user with read/write access to leak sensitive files from Argo CD's repo-server. A malicious Argo CD user who has been granted `create` or `update` access to Applications can leak the contents of any text file on the repo-server. By crafting a malicious Helm chart and using it in an Application, the attacker can retrieve the sensitive file's contents either as part of the generated manifests or in an error message. The attacker would have to know or guess the location of the target file. Sensitive files which cou
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-03-23
Published