Vulnerability Details : CVE-2022-24731
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 1.5.0 but before versions 2.1.11, 2.2.6, and 2.3.0 is vulnerable to a path traversal vulnerability, allowing a malicious user with read/write access to leak sensitive files from Argo CD's repo-server. A malicious Argo CD user who has been granted `create` or `update` access to Applications can leak the contents of any text file on the repo-server. By crafting a malicious Helm chart and using it in an Application, the attacker can retrieve the sensitive file's contents either as part of the generated manifests or in an error message. The attacker would have to know or guess the location of the target file. Sensitive files which could be leaked include files from another Application's source repositories or any secrets which have been mounted as files on the repo-server. This vulnerability is patched in Argo CD versions 2.1.11, 2.2.6, and 2.3.0. The problem can be mitigated by avoiding storing secrets in git, avoiding mounting secrets as files on the repo-server, avoiding decrypting secrets into files on the repo-server, and carefully limiting who can `create` or `update` Applications.
Vulnerability category: Directory traversal
Products affected by CVE-2022-24731
- cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*
- cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*
- cpe:2.3:a:argoproj:argo_cd:2.3.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:argoproj:argo_cd:2.3.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:argoproj:argo_cd:2.3.0:rc4:*:*:*:*:*:*
- cpe:2.3:a:argoproj:argo_cd:2.3.0:rc5:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-24731
0.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 40 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-24731
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:N/A:N |
8.0
|
2.9
|
NIST | |
4.9
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |
1.2
|
3.6
|
NIST | |
6.8
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N |
2.3
|
4.0
|
GitHub, Inc. |
CWE ids for CVE-2022-24731
-
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)
-
The product generates an error message that includes sensitive information about its environment, users, or associated data.Assigned by: nvd@nist.gov (Primary)
-
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.Assigned by: security-advisories@github.com (Secondary)
References for CVE-2022-24731
-
https://github.com/argoproj/argo-cd/security/advisories/GHSA-h6h5-6fmq-rh28
Path traversal allows leaking out-of-bound files from Argo CD repo-server · Advisory · argoproj/argo-cd · GitHubThird Party Advisory
Jump to