Argo CD before 2.1.9 and 2.2.x before 2.2.4 allows directory traversal related to Helm charts because of an error in helmTemplate in repository.go. For example, an attacker may be able to discover credentials stored in a YAML file.
This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.3 Via RHSA-2022:0476 https://access.redhat.com/errata/RHSA-2022:0476
This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.4 Via RHSA-2022:0477 https://access.redhat.com/errata/RHSA-2022:0477
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-24348
This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.2 Via RHSA-2022:0580 https://access.redhat.com/errata/RHSA-2022:0580
This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.3 Via RHSA-2022:0682 https://access.redhat.com/errata/RHSA-2022:0682