Bug 2241141 (CVE-2023-40026)

Summary: CVE-2023-40026 argo-cd: path traversal allows leaking out-of-bound Helm charts from Argo CD repo-server
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amctagga, gparvin, njean, owatkins, pahickey, shbose, stcannon, teagle
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: argo-cd 2.3 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Argo CD. For any version using Helm, using a specially crafted Helm file could reference external Helm charts handled by the same repo-server to leak values or files from the referenced Helm Chart. This issue is possible because the Helm paths were predictable.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2241142    

Description TEJ RATHI 2023-09-28 08:46:10 UTC 
Argo CD is a declarative continuous deployment framework for Kubernetes. In Argo CD versions prior to 2.3 (starting at least in v0.1.0, but likely in any version using Helm before 2.3), using a specifically-crafted Helm file could reference external Helm charts handled by the same repo-server to leak values, or files from the referenced Helm Chart. This was possible because Helm paths were predictable. The vulnerability worked by adding a Helm chart that referenced Helm resources from predictable paths. Because the paths of Helm charts were predictable and available on an instance of repo-server, it was possible to reference and then render the values and resources from other existing Helm charts regardless of permissions. While generally, secrets are not stored in these files, it was nevertheless possible to reference any values from these charts. This issue was fixed in Argo CD 2.3 and subsequent versions by randomizing Helm paths. User's still using Argo CD 2.3 or below are advised to update to a supported version. If this is not possible, disabling Helm chart rendering, or using an additional repo-server for each Helm chart would prevent possible exploitation.

https://argo-cd.readthedocs.io/en/stable/operator-manual/installation/#supported-versions
https://github.com/argoproj/argo-cd/security/advisories/GHSA-6jqw-jwf5-rp8h