Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

High-Severity Flaw in Argo CD Is Information Leak Risk

A high-severity security vulnerability in Argo CD could allow an attacker to access sensitive information from target applications.

A high-severity security vulnerability in Argo CD could allow an attacker to access sensitive information from target applications.

Argo CD, a popular open-source Continuous Delivery (CD) tool for Kubernetes, is used to monitor running applications and compares their live state, helping administrators synchronize applications with their desired state.

Tracked as CVE-2022-24348 (CVSS score of 7.7), the vulnerability is a path traversal bug that allows an attacker to load a Kubernetes Helm Chart YAML file and gain access to another application’s data. Helm charts are YAML files containing different fields that embed resources and configurations required for application deployment.

Kubernetes Helm chart files, which are used when building a new deployment pipeline, contain metadata and information necessary for the deployment, as well as the ability to update the cloud configuration.

The vulnerability allows an attacker to pass arbitrary values files to Helm charts or to craft “special Helm chart packages containing value files that are actually symbolic links, pointing to arbitrary files outside the repository’s root directory,” according an advisory from Argo CD.

[READ: Threat Actors Target Kubernetes Clusters via Argo Workflows ]

The platform’s maintainers note that an attacker looking to exploit the vulnerability must have permissions to create or update applications, and also needs to know or guess “the full path to a file containing valid YAML.”

Thus, the attacker can “create a malicious Helm chart to consume that YAML as values files, thereby gaining access to data they would otherwise have no access to.” Impact, the team says, becomes critical if sensitive or confidential data exists in the environment.

Apiiro, the company that discovered the security issue, warns successful exploitation could allow an attacker to read or steal “secrets, tokens, and other sensitive information residing on other applications.”

The weakness has been known to the development team since 2019, when an anti-path-traversal mechanism was added to the CD. However, the vulnerability exists because of an error in the control.

The patch for this vulnerability was included in the Argo CD releases v2.3.0, v2.2.4, and v2.1.9. The fix prevents “value files outside the repository root.”

Argo CD users are advised to update to a patched version of the platform as soon as possible as no workarounds are availble for this vulnerability.

Related: Critical SAP Vulnerability Allows Supply Chain Attacks

Related: Millions of Routers Impacted by NetUSB Kernel Vulnerability

Related: Log4Shell-Like Vulnerability Found in Popular H2 Database

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.