Argo CD before 2.1.9 and 2.2.x before 2.2.4 allows directory traversal related to Helm charts because of an error in helmTemplate in repository.go. For example, an attacker may be able to discover credentials stored in a YAML file.
References
| Link | Resource |
|---|---|
| https://apiiro.com/blog/malicious-kubernetes-helm-charts-can-be-used-to-steal-sensitive-information-from-argo-cd-deployments/ | Exploit Third Party Advisory |
| https://github.com/argoproj/argo-cd/security/advisories/GHSA-63qx-x74g-jcr7 | Exploit Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
09 Feb 2022, 13:53
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : 4.0
v3 : 7.7 |
| References | (MISC) https://apiiro.com/blog/malicious-kubernetes-helm-charts-can-be-used-to-steal-sensitive-information-from-argo-cd-deployments/ - Exploit, Third Party Advisory | |
| References | (CONFIRM) https://github.com/argoproj/argo-cd/security/advisories/GHSA-63qx-x74g-jcr7 - Exploit, Third Party Advisory | |
| CPE | cpe:2.3:a:linuxfoundation:argo-cd:*:*:*:*:*:*:*:* | |
| First Time |
Linuxfoundation argo-cd
Linuxfoundation |
|
| CWE | CWE-22 |
04 Feb 2022, 21:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2022-02-04 21:15
Updated : 2023-12-10 14:09
NVD link : CVE-2022-24348
Mitre link : CVE-2022-24348
CVE.ORG link : CVE-2022-24348
JSON object : View
Products Affected
linuxfoundation
- argo-cd
CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')