Argo CD released a patch this week for a zero-day vulnerability enabling attackers to access sensitive information like passwords and API keys.
The vulnerability was discovered by Apiiro’s Security Research team and explained in a blog post released alongside the patch.
Argo CD is a popular open source Continuous Delivery platform, and the vulnerability — tagged as CVE-2022-24348 with a CVSS score of 7.7 — “allows malicious actors to load a Kubernetes Helm Chart YAML file to the vulnerability and ‘hop’ from their application ecosystem to other applications’ data outside of the user’s scope.”
While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.
The actors can then read and exfiltrate data residing in other applications, according to Apiiro.
On GitHub, the company said all versions of Argo CD are vulnerable to the path traversal bug and noted that it is “possible to craft special Helm chart packages containing value files that are actually symbolic links, pointing to arbitrary files outside the repository’s root directory.”
“If an attacker with permissions to create or update Applications knows or can guess the full path to a file containing valid YAML, they can create a malicious Helm chart to consume that YAML as values files, thereby gaining access to data they would otherwise have no access