Directory Traversal Vulnerability in Argo CD by Argo Project
CVE-2022-24348

7.7HIGH

Key Information:

Vendor: Linux
Status: Argo-cd
Vendor: CVE Published:; 4 February 2022

Badges

👾 Exploit Exists🟡 Public PoC

Summary

A directory traversal vulnerability in Argo CD enables attackers to exploit improper access controls, allowing them to traverse directories and potentially access sensitive information, such as credentials stored in YAML files. This flaw arises from an issue in the helmTemplate function within repository.go, affecting installations of Argo CD that are prior to versions 2.1.9 or 2.2.4. If successfully exploited, this vulnerability could lead to data breaches, posing significant risks to deployed applications and underlying infrastructure.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2022-24348-2
Created by jkroepke

References

https://apiiro.com/blog/malicious-kubernetes-helm-charts-...

x_refsource_MISC

https://github.com/argoproj/argo-cd/security/advisories/G...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

🟡
Public PoC available
Feb 6, 2022
👾
Exploit known to exist
Feb 6, 2022
Vulnerability published
Feb 4, 2022
Vulnerability Reserved
Feb 2, 2022