All unpatched versions of Argo CD starting with v0.7.0 are vulnerable to a symlink following bug allowing a malicious user with repository write access to leak sensitive files from Argo CD's repo-server. A malicious Argo CD user with write access for a repository that is (or may be) used in a directory-type Application may commit a symlink that points to an out-of-bounds file.
This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.3 Via RHSA-2022:4671 https://access.redhat.com/errata/RHSA-2022:4671
This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.5 Via RHSA-2022:4690 https://access.redhat.com/errata/RHSA-2022:4690
This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.3 Via RHSA-2022:4691 https://access.redhat.com/errata/RHSA-2022:4691
This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.4 Via RHSA-2022:4692 https://access.redhat.com/errata/RHSA-2022:4692
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-24904