ghsa-h6h5-6fmq-rh28
Vulnerability from github
Impact
All unpatched versions of Argo CD starting with v1.5.0 are vulnerable to a path traversal vulnerability allowing a malicious user with read/write access to leak sensitive files from Argo CD's repo-server.
A malicious Argo CD user who has been granted create or update access to Applications can leak the contents of any text file on the repo-server. By crafting a malicious Helm chart and using it in an Application, the attacker can retrieve the sensitive file's contents either as part of the generated manifests or in an error message. The attacker would have to know or guess the location of the target file.
Sensitive files which could be leaked include files from other Application's source repositories (potentially decrypted files, if you are using a decryption plugin) or any secrets which have been mounted as files on the repo-server.
Patches
A patch for this vulnerability has been released in the following Argo CD versions:
- v2.3.0
- v2.2.6
- v2.1.11
Workarounds
The only certain way to avoid the vulnerability is to upgrade.
To mitigate the problem, you can
* avoid storing secrets in git
* avoid mounting secrets as files on the repo-server
* avoid decrypting secrets into files on the repo-server
* carefully limit who can create or update Applications
References
For more information
Open an issue in the Argo CD issue tracker or discussions Join us on Slack in channel #argo-cd
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd"
},
"ranges": [
{
"events": [
{
"introduced": "1.5.0"
},
{
"fixed": "2.1.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0-rc1"
},
{
"fixed": "2.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-24731"
],
"database_specific": {
"cwe_ids": [
"CWE-209",
"CWE-22",
"CWE-284"
],
"github_reviewed": true,
"github_reviewed_at": "2022-03-24T00:12:46Z",
"nvd_published_at": "2022-03-23T21:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nAll unpatched versions of Argo CD starting with v1.5.0 are vulnerable to a path traversal vulnerability allowing a malicious user with read/write access to leak sensitive files from Argo CD\u0027s repo-server.\n\nA malicious Argo CD user who has been granted [`create` or `update` access to Applications](https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/#rbac-resources-and-actions) can leak the contents of any text file on the repo-server. By crafting a malicious Helm chart and using it in an Application, the attacker can retrieve the sensitive file\u0027s contents either as part of the generated manifests or in an error message. The attacker would have to know or guess the location of the target file.\n\nSensitive files which could be leaked include files from other Application\u0027s source repositories (potentially decrypted files, if you are using a decryption plugin) or any secrets which have been mounted as files on the repo-server.\n\n### Patches\n\nA patch for this vulnerability has been released in the following Argo CD versions:\n\n* v2.3.0\n* v2.2.6\n* v2.1.11\n\n### Workarounds\n\nThe only certain way to avoid the vulnerability is to upgrade. \n\nTo mitigate the problem, you can \n* avoid storing secrets in git\n* avoid mounting secrets as files on the repo-server\n* avoid decrypting secrets into files on the repo-server\n* carefully [limit who can `create` or `update` Applications](https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/#rbac-resources-and-actions)\n\n### References\n\n* [Security documentation for the repo-server component](https://argo-cd.readthedocs.io/en/stable/operator-manual/security/#git-helm-repositories)\n* [Argo CD RBAC configuration documentation](https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/#)\n\n### For more information\n\nOpen an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://github.com/argoproj/argo-cd/discussions)\nJoin us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd\n",
"id": "GHSA-h6h5-6fmq-rh28",
"modified": "2022-03-24T00:12:46Z",
"published": "2022-03-24T00:12:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-h6h5-6fmq-rh28"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24731"
},
{
"type": "PACKAGE",
"url": "https://github.com/argoproj/argo-cd"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Path traversal allows leaking out-of-bound files from Argo CD repo-server"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.