Security News > 2022 > February > Argo CD vulnerability leaks sensitive info from Kubernetes apps
A vulnerability in Argo CD, used by thousands of orgs for deploying applications to Kubernetes, can be leveraged in attacks to disclose sensitive information such as passwords and API keys.
Threat actors can exploit the vulnerability by loading a malicious Kubernetes Helm Chart YAML file onto the target system, allowing the extraction of sensitive information from other applications.
Argo CD is being used by thousands of organizations globally, so discovering the vulnerability is significant and requires immediate attention by developers and admins.
The developers of Argo CD envisioned the possibility of a malicious actor using Helm value files outside of the chart folder and attempted to address the issue with a new check mechanism introduced in version 1.3.0, released in 2019.
"An attacker can assemble a concatenated, direct call to a specified values.yaml file, which is used by many applications as a vassal for secret and sensitive values."
Argo CD released a security update that contains the fix for CVE-2022-24348 today, with version 2.3.0-rc4.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-02-04 | CVE-2022-24348 | Path Traversal vulnerability in Argoproj Argo CD Argo CD before 2.1.9 and 2.2.x before 2.2.4 allows directory traversal related to Helm charts because of an error in helmTemplate in repository.go. | 7.7 |