Bug 2050826 (CVE-2022-24348)

Summary: CVE-2022-24348 gitops: Path traversal and dereference of symlinks when passing Helm value files
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: scorneli, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: argocd-2.3.0, argocd-2.2.4, argocd-2.1.9 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in GitOps. This flaw allows an attacker with permissions to create or update applications in ArgoCD to craft a malicious helm chart that contains symbolic links pointing to arbitrary paths outside the repository root folder, leading to a path traversal issue. This issue enables the attacker to gain access to confidential information stored in other repositories within the same ArgoCD installation.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-02-08 23:13:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2050828    

Description Pedro Sampaio 2022-02-04 17:49:31 UTC 
Argo CD before 2.1.9 and 2.2.x before 2.2.4 allows directory traversal related to Helm charts because of an error in helmTemplate in repository.go. For example, an attacker may be able to discover credentials stored in a YAML file.
Comment 2 errata-xmlrpc 2022-02-08 22:09:23 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.3

Via RHSA-2022:0476 https://access.redhat.com/errata/RHSA-2022:0476
Comment 3 errata-xmlrpc 2022-02-08 22:16:38 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.4

Via RHSA-2022:0477 https://access.redhat.com/errata/RHSA-2022:0477
Comment 4 Product Security DevOps Team 2022-02-08 23:13:16 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-24348
Comment 6 errata-xmlrpc 2022-02-17 21:47:09 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.2

Via RHSA-2022:0580 https://access.redhat.com/errata/RHSA-2022:0580
Comment 7 errata-xmlrpc 2022-02-25 20:32:45 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.3

Via RHSA-2022:0682 https://access.redhat.com/errata/RHSA-2022:0682