CVE-2023-40026
Vulnerability from cvelistv5
Published
2023-09-27 20:43
Modified
2024-09-20 19:34
Severity ?
EPSS score ?
Summary
Path traversal allows leaking out-of-bound Helm charts from Argo CD repo-server
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T18:24:55.173Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6jqw-jwf5-rp8h", "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6jqw-jwf5-rp8h" }, { "name": "https://argo-cd.readthedocs.io/en/stable/operator-manual/installation/#supported-versions", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://argo-cd.readthedocs.io/en/stable/operator-manual/installation/#supported-versions" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2023-40026", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-20T17:51:13.599797Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-20T19:34:30.464Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "argo-cd", "vendor": "argoproj", "versions": [ { "status": "affected", "version": "\u003c 2.3" } ] } ], "descriptions": [ { "lang": "en", "value": "Argo CD is a declarative continuous deployment framework for Kubernetes. In Argo CD versions prior to 2.3 (starting at least in v0.1.0, but likely in any version using Helm before 2.3), using a specifically-crafted Helm file could reference external Helm charts handled by the same repo-server to leak values, or files from the referenced Helm Chart. This was possible because Helm paths were predictable. The vulnerability worked by adding a Helm chart that referenced Helm resources from predictable paths. Because the paths of Helm charts were predictable and available on an instance of repo-server, it was possible to reference and then render the values and resources from other existing Helm charts regardless of permissions. While generally, secrets are not stored in these files, it was nevertheless possible to reference any values from these charts. This issue was fixed in Argo CD 2.3 and subsequent versions by randomizing Helm paths. User\u0027s still using Argo CD 2.3 or below are advised to update to a supported version. If this is not possible, disabling Helm chart rendering, or using an additional repo-server for each Helm chart would prevent possible exploitation." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-09-27T20:43:01.743Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6jqw-jwf5-rp8h", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6jqw-jwf5-rp8h" }, { "name": "https://argo-cd.readthedocs.io/en/stable/operator-manual/installation/#supported-versions", "tags": [ "x_refsource_MISC" ], "url": "https://argo-cd.readthedocs.io/en/stable/operator-manual/installation/#supported-versions" } ], "source": { "advisory": "GHSA-6jqw-jwf5-rp8h", "discovery": "UNKNOWN" }, "title": "Path traversal allows leaking out-of-bound Helm charts from Argo CD repo-server" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2023-40026", "datePublished": "2023-09-27T20:43:01.743Z", "dateReserved": "2023-08-08T13:46:25.243Z", "dateUpdated": "2024-09-20T19:34:30.464Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2023-40026\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-09-27T21:15:09.713\",\"lastModified\":\"2024-08-07T15:43:51.540\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Argo CD is a declarative continuous deployment framework for Kubernetes. In Argo CD versions prior to 2.3 (starting at least in v0.1.0, but likely in any version using Helm before 2.3), using a specifically-crafted Helm file could reference external Helm charts handled by the same repo-server to leak values, or files from the referenced Helm Chart. This was possible because Helm paths were predictable. The vulnerability worked by adding a Helm chart that referenced Helm resources from predictable paths. Because the paths of Helm charts were predictable and available on an instance of repo-server, it was possible to reference and then render the values and resources from other existing Helm charts regardless of permissions. While generally, secrets are not stored in these files, it was nevertheless possible to reference any values from these charts. This issue was fixed in Argo CD 2.3 and subsequent versions by randomizing Helm paths. User\u0027s still using Argo CD 2.3 or below are advised to update to a supported version. If this is not possible, disabling Helm chart rendering, or using an additional repo-server for each Helm chart would prevent possible exploitation.\"},{\"lang\":\"es\",\"value\":\"Argo CD es un framework continuo declarativo para Kubernetes. En las versiones de Argo CD anteriores a la 2.3 (a partir de al menos la v0.1.0, pero probablemente en cualquier versi\u00f3n que use Helm antes de la 2.3), el uso de un archivo Helm manipulado espec\u00edficamente podr\u00eda hacer referencia a gr\u00e1ficos Helm externos manejados por el mismo servidor de repositorio para filtrar valores, o archivos del Helm Chart al que se hace referencia. Esto fue posible porque los caminos de Helm eran predecibles. La vulnerabilidad funcion\u00f3 agregando un gr\u00e1fico de Helm que hac\u00eda referencia a los recursos de Helm desde rutas predecibles. Debido a que las rutas de los gr\u00e1ficos de Helm eran predecibles y estaban disponibles en una instancia de repositorio-servidor, era posible hacer referencia y luego representar los valores y recursos de otros gr\u00e1ficos de Helm existentes independientemente de los permisos. Si bien, generalmente los secretos no se almacenan en estos archivos, fue posible hacer referencia a cualquier valor de estos gr\u00e1ficos. Este problema se solucion\u00f3 en Argo CD 2.3 y versiones posteriores aleatorizando las rutas de Helm. Se recomienda a los usuarios que todav\u00eda utilizan Argo CD 2.3 o inferior que actualicen a una versi\u00f3n compatible. Si esto no es posible, deshabilitar la representaci\u00f3n de gr\u00e1ficos de Helm o utilizar un servidor de repositorio adicional para cada gr\u00e1fico de Helm evitar\u00eda una posible explotaci\u00f3n.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":5.0,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":3.1,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.3.0\",\"matchCriteriaId\":\"D63E195F-F097-44AD-9A01-5B40C40A6426\"}]}]}],\"references\":[{\"url\":\"https://argo-cd.readthedocs.io/en/stable/operator-manual/installation/#supported-versions\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/argoproj/argo-cd/security/advisories/GHSA-6jqw-jwf5-rp8h\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Third Party Advisory\"]}]}}" } }
Loading...
Loading...
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.