Argo CD releases patch for zero-day vulnerability

Malicious actors can load a Kubernetes Helm Chart YAML file to the vulnerability and "hop from their application ecosystem to other applications' data outside of the user's scope," says Apiiro.
Written by Jonathan Greig, Contributor

Argo CD released a patch this week for a zero-day vulnerability enabling attackers to access sensitive information like passwords and API keys.

The vulnerability was discovered by Apiiro's Security Research team and explained in a blog post released alongside the patch. 

Argo CD is a popular open source Continuous Delivery platform, and the vulnerability -- tagged as CVE-2022-24348 with a CVSS score of 7.7 -- "allows malicious actors to load a Kubernetes Helm Chart YAML file to the vulnerability and 'hop' from their application ecosystem to other applications' data outside of the user's scope." 

The actors can then read and exfiltrate data residing in other applications, according to Apiiro. 

On GitHub, the company said all versions of Argo CD are vulnerable to the path traversal bug and noted that it is "possible to craft special Helm chart packages containing value files that are actually symbolic links, pointing to arbitrary files outside the repository's root directory."

"If an attacker with permissions to create or update Applications knows or can guess the full path to a file containing valid YAML, they can create a malicious Helm chart to consume that YAML as values files, thereby gaining access to data they would otherwise have no access to," Argo CD explained.

"The impact can especially become critical in environments that make use of encrypted value files (e.g. using plugins with git-crypt or SOPS) containing sensitive or confidential data, and decrypt these secrets to disk before rendering the Helm chart. Also, because any error message from helm template is passed back to the user, and these error messages are quite verbose, enumeration of files on the repository server's file system is possible."


There are no workarounds for the issue, and Argo CD urged its users to update their installations. Patches have been released for Argo CD v2.3.0, v2.2.4, and v2.1.9.

Apiiro explained that it notified Argo CD of the issue on January 30, and the two sides worked on resolving it over the last week. 

Vulcan Cyber CEO Yaniv Bar-Dayan said they are generally seeing more advanced persistent threats that leverage zero-day and known, unmitigated vulnerabilities in software supply chain software, such as Argo CD. 

For years, known, unmitigated vulnerabilities have contributed more than any other factor to mounting cyber risk, Bar-Dayan added.

"But hackers are always looking for the most-effective path of least resistance to attain their objectives. A recent rash of advanced persistent threats that leverage a supply chain zero-day vulnerability daisy chained with known, unmitigated vulnerabilities, demonstrates how hackers are becoming increasingly sophisticated and opportunistic. Obviously the SolarWinds hack was the most notorious APT to use the software supply chain as the main attack vector," Bar-Dayan explained. 

"In the event of a breach, it is unfair to put all the blame on the software supply chain vendor considering how bad actors often use known, unaddressed vulnerabilities that should have been mitigated by IT security teams well before the software supply chain hack became a reality. 

"We need to do better as an industry before our cyber debt sinks us. Apiiro and Argo have taken the right steps to help Argo customers reduce the risk associated with CVE-2022-24348, but now IT security teams must collaborate and do the work to protect their development environments and software supply chains from threat actors."

Editorial standards