Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 1.5.0 but before versions 2.1.11, 2.2.6, and 2.3.0 is vulnerable to a path traversal vulnerability, allowing a malicious user with read/write access to leak sensitive files from Argo CDs repo-server. A malicious Argo CD user who has been granted create or update access to Applications can leak the contents of any text file on the repo-server. By crafting a malicious Helm chart and using it in an Application, the attacker can retrieve the sensitive files contents either as part of the generated manifests or in an error message. The attacker would have to know or guess the location of the target file. Sensitive files which could be leaked include files from another Applications source repositories or any secrets which have been mounted as files on the repo-server. This vulnerability is patched in Argo CD versions 2.1.11, 2.2.6, and 2.3.0. The problem can be mitigated by avoiding storing secrets in git, avoiding mounting secrets as files on the repo-server, avoiding decrypting secrets into files on the repo-server, and carefully limiting who can create or update Applications.
The product generates an error message that includes sensitive information about its environment, users, or associated data.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Argo-cd | Linuxfoundation | 1.5.0 (including) | 2.1.11 (excluding) |
| Argo-cd | Linuxfoundation | 2.2.0 (including) | 2.2.6 (excluding) |
| Argo-cd | Linuxfoundation | 2.3.0-rc1 (including) | 2.3.0-rc1 (including) |
| Argo-cd | Linuxfoundation | 2.3.0-rc2 (including) | 2.3.0-rc2 (including) |
| Argo-cd | Linuxfoundation | 2.3.0-rc4 (including) | 2.3.0-rc4 (including) |
| Argo-cd | Linuxfoundation | 2.3.0-rc5 (including) | 2.3.0-rc5 (including) |
The sensitive information may be valuable information on its own (such as a password), or it may be useful for launching other, more serious attacks. The error message may be created in different ways:
An attacker may use the contents of error messages to help launch another, more focused attack. For example, an attempt to exploit a path traversal weakness (CWE-22) might yield the full pathname of the installed application. In turn, this could be used to select the proper number of “..” sequences to navigate to the targeted file. An attack using SQL injection (CWE-89) might not initially succeed, but an error message could reveal the malformed query, which would expose query logic and possibly even passwords or other sensitive information used within the query.