CVE-2022-24731: Path traversal allows leaking out-of-bound files from Argo CD repo-server

First published: Wed Mar 23 2022(Updated: )

### Impact All unpatched versions of Argo CD starting with v1.5.0 are vulnerable to a path traversal vulnerability allowing a malicious user with read/write access to leak sensitive files from Argo CD's repo-server. A malicious Argo CD user who has been granted [`create` or `update` access to Applications](https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/#rbac-resources-and-actions) can leak the contents of any text file on the repo-server. By crafting a malicious Helm chart and using it in an Application, the attacker can retrieve the sensitive file's contents either as part of the generated manifests or in an error message. The attacker would have to know or guess the location of the target file. Sensitive files which could be leaked include files from other Application's source repositories (potentially decrypted files, if you are using a decryption plugin) or any secrets which have been mounted as files on the repo-server. ### Patches A patch for this vulnerability has been released in the following Argo CD versions: * v2.3.0 * v2.2.6 * v2.1.11 ### Workarounds The only certain way to avoid the vulnerability is to upgrade. To mitigate the problem, you can * avoid storing secrets in git * avoid mounting secrets as files on the repo-server * avoid decrypting secrets into files on the repo-server * carefully [limit who can `create` or `update` Applications](https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/#rbac-resources-and-actions) ### References * [Security documentation for the repo-server component](https://argo-cd.readthedocs.io/en/stable/operator-manual/security/#git-helm-repositories) * [Argo CD RBAC configuration documentation](https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/#) ### For more information Open an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://github.com/argoproj/argo-cd/discussions) Join us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd

Credit: security-advisories@github.com security-advisories@github.com

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/nvd-index
• agent/type
• collector/mitre-cve
• source/MITRE
• agent/weakness
• agent/title
• agent/severity
• agent/first-publish-date
• collector/nvd-api
• source/NVD
• agent/software-canonical-lookup
• agent/author
• collector/github-advisory-latest
• source/GitHub
• alias/GHSA-h6h5-6fmq-rh28
• alias/CVE-2022-24731
• agent/tags
• agent/references
• agent/last-modified-date
• agent/description
• collector/nvd-cve
• agent/softwarecombine
• agent/event
• collector/github-advisory
• vendor/linuxfoundation
• canonical/linuxfoundation argo-cd
• version/linuxfoundation argo-cd/1.5.0
• version/linuxfoundation argo-cd/2.2.0
• version/linuxfoundation argo-cd/2.3.0-rc1
• version/linuxfoundation argo-cd/2.3.0-rc2
• version/linuxfoundation argo-cd/2.3.0-rc4
• version/linuxfoundation argo-cd/2.3.0-rc5
• vendor/argoproj
• canonical/argoproj argo cd
• version/argoproj argo cd/1.5.0
• version/argoproj argo cd/2.2.0
• version/argoproj argo cd/2.3.0-rc1
• version/argoproj argo cd/2.3.0-rc2
• version/argoproj argo cd/2.3.0-rc4
• version/argoproj argo cd/2.3.0-rc5
• package-manager/go