CVE-2022-24730

{"id": "CVE-2022-24730", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 3.1}]}, "published": "2022-03-23T21:15:08.023", "references": [{"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-r9cr-hvjj-496v", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-863"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 1.3.0 but before versions 2.1.11, 2.2.6, and 2.3.0 is vulnerable to a path traversal bug, compounded by an improper access control bug, allowing a malicious user with read-only repository access to leak sensitive files from Argo CD's repo-server. A malicious Argo CD user who has been granted `get` access for a repository containing a Helm chart can craft an API request to the `/api/v1/repositories/{repo_url}/appdetails` endpoint to leak the contents of out-of-bounds files from the repo-server. The malicious payload would reference an out-of-bounds file, and the contents of that file would be returned as part of the response. Contents from a non-YAML file may be returned as part of an error message. The attacker would have to know or guess the location of the target file. Sensitive files which could be leaked include files from other Applications' source repositories or any secrets which have been mounted as files on the repo-server. This vulnerability is patched in Argo CD versions 2.1.11, 2.2.6, and 2.3.0. The patches prevent path traversal and limit access to users who either A) have been granted Application `create` privileges or B) have been granted Application `get` privileges and are requesting details for a `repo_url` that has already been used for the given Application. There are currently no known workarounds."}, {"lang": "es", "value": "Argo CD es una herramienta declarativa de entrega continua GitOps para Kubernetes. Argo CD a partir de la versi\u00f3n 1.3.0 pero antes de las versiones 2.1.11, 2.2.6 y 2.3.0 es vulnerable a un fallo de salto de ruta, agravado por un fallo de control de acceso inapropiado, que permite a un usuario malicioso con acceso al repositorio de s\u00f3lo lectura filtrar archivos confidenciales del repo-servidor de Argo CD. Un usuario malicioso de Argo CD al que le haya sido concedido acceso \"get\" para un repositorio que contenga un gr\u00e1fico de Helm puede dise\u00f1ar una petici\u00f3n de API al endpoint \"/api/v1/repositories/{repo_url}/appdetails\" para filtrar el contenido de archivos fuera de l\u00edmites del servidor de repositorios. La carga \u00fatil maliciosa har\u00eda referencia a un archivo fuera de l\u00edmites, y el contenido de ese archivo ser\u00eda devuelto como parte de la respuesta. El contenido de un archivo no YAML puede ser devuelto como parte de un mensaje de error. El atacante tendr\u00eda que conocer o adivinar la ubicaci\u00f3n del archivo de destino. Los archivos confidenciales que podr\u00edan filtrarse incluyen archivos de los repositorios de fuentes de otras aplicaciones o cualquier secreto que haya sido montado como archivo en el servidor de repositorios. Esta vulnerabilidad est\u00e1 parcheada en las versiones 2.1.11, 2.2.6 y 2.3.0 de Argo CD. Los parches evitan el salto de ruta y limitan el acceso a usuarios que, o bien A) han recibido privilegios \"create\" de aplicaciones, o bien B) han recibido privilegios \"get\" de aplicaciones y est\u00e1n solicitando detalles para una \"repo_url\" que ya ha sido usada para la aplicaci\u00f3n en cuesti\u00f3n. Actualmente no se presentan medidas de mitigaci\u00f3n conocidas"}], "lastModified": "2023-06-23T19:16:54.907", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:argo-cd:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C5F508B6-949C-47FF-B8DB-5224B3E2633B", "versionEndExcluding": "2.1.11", "versionStartIncluding": "1.3.0"}, {"criteria": "cpe:2.3:a:linuxfoundation:argo-cd:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DB984225-D14A-4D0C-9A84-6D8965105DC2", "versionEndExcluding": "2.2.6", "versionStartIncluding": "2.2.0"}, {"criteria": "cpe:2.3:a:linuxfoundation:argo-cd:2.3.0:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "33248FAD-A339-4EF6-845C-BE9A767BBC46"}, {"criteria": "cpe:2.3:a:linuxfoundation:argo-cd:2.3.0:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "44FEBECC-4043-4F0E-B490-DEEDC97C6EA1"}, {"criteria": "cpe:2.3:a:linuxfoundation:argo-cd:2.3.0:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4D18CDAA-5238-483F-BFCA-0B8D336D3D48"}, {"criteria": "cpe:2.3:a:linuxfoundation:argo-cd:2.3.0:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "60AE1274-722E-4358-8DEC-0BCD712D94CD"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}