The cloud security company Apiiro has found a zero-day vulnerability in Argo’s continuous development tools and reported it on January 30. The flaw can be tracked with CVE-2022-24348 and it has a CVSS score of 7.7. The flaw is identified as “Path traversal an dereference of symlings when passing Helm value files”.
All versions are vulnerable
The bug affects all of the versions of Argo continuous development tools except the recently released v2.3.0, v2.2.4, and v2.1.9 versions. Developers of Argo CD urges users to update their installation immediately.
The bug is related to the Helm charts. The path traversal bug allows passing arbitrary values to be consumed by Helm charts. It is also possible to use the bug for creating special Helm chart packages containing symboling links that direct to arbitrary files which are not placed in the repository’s root directory.
The company has stated in the whitepaper;
« If an attacker with permissions to create or update Applications knows or can guess the full path to a file containing valid YAML, they can create a malicious Helm chart to consume that YAML as values files, thereby gaining access to data they would otherwise have no access to »
The environments that use encrypted value files that contain sensitive or confidential data such as passwords and API keys are critically vulnerable with Argo’s continuous development tools flaw. In addition, the detailed error message from the helm template which is sent to the user creates additional risks with providing information regarding the files on the repository server.