Bug 2096291 (CVE-2022-31036) - CVE-2022-31036 argocd: vulnerable to a symlink following bug allowing a malicious user with repository write access
Summary: CVE-2022-31036 argocd: vulnerable to a symlink following bug allowing a malic...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-31036
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2096259
TreeView+ depends on / blocked
 
Reported: 2022-06-13 13:01 UTC by Rohit Keshri
Modified: 2022-07-14 18:54 UTC (History)
2 users (show)

Fixed In Version: ArgoCD 2.1.16, ArgoCD 2.2.10, ArgoCD 2.3.5, ArgoCD 2.4.1
Doc Type: If docs needed, set a value
Doc Text:
A symlink following vulnerability was found in ArgoCD. A malicious user with write access can commit a symlink pointing to a file outside the expected directories. Once the Helm-type application consumes this symlink, the attacker can read the content of the file referenced by the symbolic link, compromising the confidentiality of other projects under the same ArgoCD installation.
Clone Of:
Environment:
Last Closed: 2022-06-28 12:06:15 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:5152 0 None None None 2022-06-22 04:17:59 UTC
Red Hat Product Errata RHSA-2022:5153 0 None None None 2022-06-23 09:07:58 UTC
Red Hat Product Errata RHSA-2022:5187 0 None None None 2022-06-24 21:07:18 UTC
Red Hat Product Errata RHSA-2022:5192 0 None None None 2022-06-24 20:14:16 UTC

Description Rohit Keshri 2022-06-13 13:01:49 UTC 
All unpatched versions of Argo CD starting with v1.3.0 are vulnerable to a symlink following bug allowing a malicious user with repository write access to leak-sensitive YAML files from Argo CD's repo-server.

A malicious Argo CD user with write access for a repository (or maybe) used in a Helm-type Application may commit a symlink pointing to an out-of-bounds file. If the target file is a valid YAML file, the attacker can read the contents of that file.

Sensitive files which could be leaked include manifest files from other Applications' source repositories (potentially decrypted files, if you are using a decryption plugin) or any YAML-formatted secrets which have been mounted as files on the repo-server.
Comment 2 errata-xmlrpc 2022-06-22 04:17:57 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.5

Via RHSA-2022:5152 https://access.redhat.com/errata/RHSA-2022:5152
Comment 3 errata-xmlrpc 2022-06-23 09:07:56 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.4

Via RHSA-2022:5153 https://access.redhat.com/errata/RHSA-2022:5153
Comment 4 errata-xmlrpc 2022-06-24 20:14:14 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.3

Via RHSA-2022:5192 https://access.redhat.com/errata/RHSA-2022:5192
Comment 5 errata-xmlrpc 2022-06-24 21:07:16 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.3

Via RHSA-2022:5187 https://access.redhat.com/errata/RHSA-2022:5187
Comment 6 Product Security DevOps Team 2022-06-28 12:06:13 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-31036
Note You need to log in before you can comment on or make changes to this bug.