Security News > 2022 > February > Argo CD vulnerability leaks sensitive info from Kubernetes apps

Argo CD vulnerability leaks sensitive info from Kubernetes apps
2022-02-04 15:43

A vulnerability in Argo CD, used by thousands of orgs for deploying applications to Kubernetes, can be leveraged in attacks to disclose sensitive information such as passwords and API keys.

Threat actors can exploit the vulnerability by loading a malicious Kubernetes Helm Chart YAML file onto the target system, allowing the extraction of sensitive information from other applications.

Argo CD is being used by thousands of organizations globally, so discovering the vulnerability is significant and requires immediate attention by developers and admins.

The developers of Argo CD envisioned the possibility of a malicious actor using Helm value files outside of the chart folder and attempted to address the issue with a new check mechanism introduced in version 1.3.0, released in 2019.

"An attacker can assemble a concatenated, direct call to a specified values.yaml file, which is used by many applications as a vassal for secret and sensitive values."

Argo CD released a security update that contains the fix for CVE-2022-24348 today, with version 2.3.0-rc4.


News URL

https://www.bleepingcomputer.com/news/security/argo-cd-vulnerability-leaks-sensitive-info-from-kubernetes-apps/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-02-04 CVE-2022-24348 Path Traversal vulnerability in Argoproj Argo CD
Argo CD before 2.1.9 and 2.2.x before 2.2.4 allows directory traversal related to Helm charts because of an error in helmTemplate in repository.go.
network
low complexity
argoproj CWE-22
7.7

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Kubernetes 19 5 45 34 8 92