Bug 2096291 (CVE-2022-31036)

Summary: CVE-2022-31036 argocd: vulnerable to a symlink following bug allowing a malicious user with repository write access
Product: [Other] Security Response Reporter: Rohit Keshri <rkeshri>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: scorneli, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ArgoCD 2.1.16, ArgoCD 2.2.10, ArgoCD 2.3.5, ArgoCD 2.4.1 Doc Type: If docs needed, set a value
Doc Text:
A symlink following vulnerability was found in ArgoCD. A malicious user with write access can commit a symlink pointing to a file outside the expected directories. Once the Helm-type application consumes this symlink, the attacker can read the content of the file referenced by the symbolic link, compromising the confidentiality of other projects under the same ArgoCD installation.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-06-28 12:06:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2096259    

Description Rohit Keshri 2022-06-13 13:01:49 UTC 
All unpatched versions of Argo CD starting with v1.3.0 are vulnerable to a symlink following bug allowing a malicious user with repository write access to leak-sensitive YAML files from Argo CD's repo-server.

A malicious Argo CD user with write access for a repository (or maybe) used in a Helm-type Application may commit a symlink pointing to an out-of-bounds file. If the target file is a valid YAML file, the attacker can read the contents of that file.

Sensitive files which could be leaked include manifest files from other Applications' source repositories (potentially decrypted files, if you are using a decryption plugin) or any YAML-formatted secrets which have been mounted as files on the repo-server.
Comment 2 errata-xmlrpc 2022-06-22 04:17:57 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.5

Via RHSA-2022:5152 https://access.redhat.com/errata/RHSA-2022:5152
Comment 3 errata-xmlrpc 2022-06-23 09:07:56 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.4

Via RHSA-2022:5153 https://access.redhat.com/errata/RHSA-2022:5153
Comment 4 errata-xmlrpc 2022-06-24 20:14:14 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.3

Via RHSA-2022:5192 https://access.redhat.com/errata/RHSA-2022:5192
Comment 5 errata-xmlrpc 2022-06-24 21:07:16 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.3

Via RHSA-2022:5187 https://access.redhat.com/errata/RHSA-2022:5187
Comment 6 Product Security DevOps Team 2022-06-28 12:06:13 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-31036