Vulnerability in Argo CD allows to steal data using Helm charts

Vulnerability in Argo CD
Written by Emma Davis

A vulnerability in the Argo CD tool, used by thousands of organizations to deploy applications to Kubernetes, could be used for lateral movement, privilege escalation, and to steal sensitive data, including passwords and API keys.

It is worth noting that Argo CD is officially used by many large companies, including Alibaba Group, BMW Group, Deloitte, Gojek, IBM, Intuit, LexisNexis, Red Hat, Skyscanner, Swisscom and Ticketmaster.

The problem, discovered at the end of January by Apiiro specialists, is CVE-2022-24348 (CVSS score 7.7) and affects all versions of Argo CD. The bug has already been fixed in the latest versions 2.3.0, 2.2.4 and 2.1.9.

The vulnerability is of type path-traversal (directory traversal) and allows attackers to download specially crafted Helm Chart YAML files, “leaving” their application ecosystem and gaining access to other applications’ data, which should be outside the user’s scope.

You can create custom Helm chart packages that contain value files, which are actually symbolic links pointing to arbitrary files outside of the repository’s root directory. The problem can become critical in environments that use files with encrypted values (for example, using plugins with git-crypt and SOPS) containing sensitive or sensitive data, and decrypt this information to disk before rendering the Helm chart.the developers explain.

Vulnerability in Argo CD

The impact can especially become critical in environments that make use of encrypted value files (e.g. using plugins with git-crypt or SOPS) containing sensitive or confidential data, and decrypt these secrets to disk before rendering the Helm chart. Also, because any error message from helm template is passed back to the user, and these error messages are quite verbose, enumeration of files on the repository server’s file system is possible.Apiiro experts also specify.

The creators of Argo CD recommend that everyone update to the fixed versions as soon as possible, as there are no workarounds to fix this problem.

Let me remind you that we also wrote that Apache Vulnerability May Lead to Remote Code Execution, and also that VMware Alerts That Critical Vulnerability Has Been Found In vCenter Server.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply