Security News > 2022 > February > Argo CD Security Bug Opens Kubernetes Cloud Apps to Attackers
A high-severity security vulnerability in Argo CD can enable attackers to access targets' application-development environments, paving the way for stealing passwords, API keys, tokens and other sensitive information.
Argo CD is a continuous-delivery platform deployed as a Kubernetes controller in the cloud, and it's used to deploy applications, then continuously monitor them in real time as they run.
The bug is a path-traversal issue, according to Apiiro's security-research team, which occurs when adversaries are able to access files and directories that are stored outside their permissioned purview.
Attackers can exploit the bug by loading a malicious Kubernetes Helm Chart YAML file into the Argo CD system, then using it to "Hop" from their own application ecosystem to access other applications' data, researchers said.
The file includes "The metadata and information needed to deploy the appropriate Kubernetes configuration, and the ability to dynamically update the cloud configuration as the manifest is being modified."
Argo CD's anti-path-traversal mechanism is handled by single file in the source code, according to the analysis.
News URL
https://threatpost.com/argo-cd-security-bug-kubernetes-cloud-apps/178239/
Related news
- How AI Is Changing the Cloud Security and Risk Equation (source)
- Strategies for CISOs navigating hybrid and multi-cloud security (source)
- Enhancing visibility for better security in multi-cloud and hybrid environments (source)
- Microsoft Fixes AI, Cloud, and ERP Security Flaws; One Exploited in Active Attacks (source)
- AWS unveils cloud security IR service for a mere $7K a month (source)
- Are Long-Lived Credentials the New Achilles’ Heel for Cloud Security? (source)
- Best CSPM Tools 2024: Top Cloud Security Solutions Compared (source)
- CrowdStrike vs Wiz: Which Offers Better Cloud Security and Value? (source)
- CISA Mandates Cloud Security for Federal Agencies by 2025 Under Binding Directive 25-01 (source)