Bug 2050826 (CVE-2022-24348) - CVE-2022-24348 gitops: Path traversal and dereference of symlinks when passing Helm value files
Summary: CVE-2022-24348 gitops: Path traversal and dereference of symlinks when passin...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-24348
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2050828
TreeView+ depends on / blocked
 
Reported: 2022-02-04 17:49 UTC by Pedro Sampaio
Modified: 2022-02-25 20:32 UTC (History)
2 users (show)

Fixed In Version: argocd-2.3.0, argocd-2.2.4, argocd-2.1.9
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in GitOps. This flaw allows an attacker with permissions to create or update applications in ArgoCD to craft a malicious helm chart that contains symbolic links pointing to arbitrary paths outside the repository root folder, leading to a path traversal issue. This issue enables the attacker to gain access to confidential information stored in other repositories within the same ArgoCD installation.
Clone Of:
Environment:
Last Closed: 2022-02-08 23:13:18 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:0476 0 None None None 2022-02-08 22:09:25 UTC
Red Hat Product Errata RHSA-2022:0477 0 None None None 2022-02-08 22:16:40 UTC
Red Hat Product Errata RHSA-2022:0580 0 None None None 2022-02-17 21:47:11 UTC
Red Hat Product Errata RHSA-2022:0682 0 None None None 2022-02-25 20:32:47 UTC

Description Pedro Sampaio 2022-02-04 17:49:31 UTC 
Argo CD before 2.1.9 and 2.2.x before 2.2.4 allows directory traversal related to Helm charts because of an error in helmTemplate in repository.go. For example, an attacker may be able to discover credentials stored in a YAML file.
Comment 2 errata-xmlrpc 2022-02-08 22:09:23 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.3

Via RHSA-2022:0476 https://access.redhat.com/errata/RHSA-2022:0476
Comment 3 errata-xmlrpc 2022-02-08 22:16:38 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.4

Via RHSA-2022:0477 https://access.redhat.com/errata/RHSA-2022:0477
Comment 4 Product Security DevOps Team 2022-02-08 23:13:16 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-24348
Comment 6 errata-xmlrpc 2022-02-17 21:47:09 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.2

Via RHSA-2022:0580 https://access.redhat.com/errata/RHSA-2022:0580
Comment 7 errata-xmlrpc 2022-02-25 20:32:45 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.3

Via RHSA-2022:0682 https://access.redhat.com/errata/RHSA-2022:0682
Note You need to log in before you can comment on or make changes to this bug.