Bug 2062755 (CVE-2022-24731) - CVE-2022-24731 argocd: path traversal allows leaking out-of-bound files
Summary: CVE-2022-24731 argocd: path traversal allows leaking out-of-bound files
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-24731
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2062752
TreeView+ depends on / blocked
 
Reported: 2022-03-10 14:14 UTC by Marian Rehak
Modified: 2022-07-06 19:08 UTC (History)
2 users (show)

Fixed In Version: argocd 2.3.0, argocd 2.2.6, argocd 2.1.11
Doc Type: If docs needed, set a value
Doc Text:
A path traversal flaw was found in ArgoCD. This flaw allows an attacker who has been granted create or update access to applications to leak the contents of any text file on the repo-server by crafting a malicious Helm chart. Such text files could include sensitive information that the attacker should not have access to, compromising data confidentiality.
Clone Of:
Environment:
Last Closed: 2022-03-24 00:01:54 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:1039 0 None None None 2022-03-23 21:20:09 UTC
Red Hat Product Errata RHSA-2022:1040 0 None None None 2022-03-23 21:17:32 UTC
Red Hat Product Errata RHSA-2022:1041 0 None None None 2022-03-23 21:19:03 UTC
Red Hat Product Errata RHSA-2022:1042 0 None None None 2022-03-23 21:53:47 UTC

Description Marian Rehak 2022-03-10 14:14:18 UTC 
A path traversal vulnerability allowing a malicious user with read/write access to leak sensitive files from Argo CD's repo-server.
Comment 2 errata-xmlrpc 2022-03-23 21:17:30 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.3

Via RHSA-2022:1040 https://access.redhat.com/errata/RHSA-2022:1040
Comment 3 errata-xmlrpc 2022-03-23 21:19:01 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.4

Via RHSA-2022:1041 https://access.redhat.com/errata/RHSA-2022:1041
Comment 4 errata-xmlrpc 2022-03-23 21:20:07 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.2

Via RHSA-2022:1039 https://access.redhat.com/errata/RHSA-2022:1039
Comment 5 errata-xmlrpc 2022-03-23 21:53:45 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.3

Via RHSA-2022:1042 https://access.redhat.com/errata/RHSA-2022:1042
Comment 6 Product Security DevOps Team 2022-03-24 00:01:52 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-24731
Note You need to log in before you can comment on or make changes to this bug.