Security News > 2022 > February > Open-source Kubernetes tool Argo CD has a high-severity path traversal flaw: Patch now

A zero-day vulnerability in open-source Kubernetes development tool Argo lets malicious people steal passwords from git-crypt and other sensitive information by simply uploading a crafted Helm chart.

The vuln, tracked as CVE-2022-24438, exists in Argo CD, a widely used open-source continuous delivery tool for Kubernetes.

"It is possible to craft special Helm chart packages containing value files that are actually symbolic links, pointing to arbitrary files outside the repository's root directory," said a member of the Argo project in a security advisory about the flaw.

Among other larger software platforms using Argo CD is Red Hat's OpenShift project.

The firm added: "Although Argo CD contributors were aware of this weak point in 2019 and implemented an anti-path-traversal mechanism, a bug in the control [sic] allows for exploitation of this vulnerability."

Using a crafted Helm chart to pass it absolute file paths in URI format would therefore allow an attacker to sidestep Argo CD's file path traversal prevention mechanism.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/02/04/argo_cd_0day_kubernetes/