what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 4 of 4 RSS Feed

CVE-2022-24730

Status Candidate

Overview

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 1.3.0 but before versions 2.1.11, 2.2.6, and 2.3.0 is vulnerable to a path traversal bug, compounded by an improper access control bug, allowing a malicious user with read-only repository access to leak sensitive files from Argo CD's repo-server. A malicious Argo CD user who has been granted `get` access for a repository containing a Helm chart can craft an API request to the `/api/v1/repositories/{repo_url}/appdetails` endpoint to leak the contents of out-of-bounds files from the repo-server. The malicious payload would reference an out-of-bounds file, and the contents of that file would be returned as part of the response. Contents from a non-YAML file may be returned as part of an error message. The attacker would have to know or guess the location of the target file. Sensitive files which could be leaked include files from other Applications' source repositories or any secrets which have been mounted as files on the repo-server. This vulnerability is patched in Argo CD versions 2.1.11, 2.2.6, and 2.3.0. The patches prevent path traversal and limit access to users who either A) have been granted Application `create` privileges or B) have been granted Application `get` privileges and are requesting details for a `repo_url` that has already been used for the given Application. There are currently no known workarounds.

Related Files

Red Hat Security Advisory 2022-1039-01
Posted Mar 24, 2022
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2022-1039-01 - Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications. Issues addressed include privilege escalation and traversal vulnerabilities.

tags | advisory, vulnerability
systems | linux, redhat
advisories | CVE-2020-25709, CVE-2020-25710, CVE-2021-23177, CVE-2021-31566, CVE-2021-3999, CVE-2021-45960, CVE-2021-46143, CVE-2022-1025, CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2022-22825, CVE-2022-22826, CVE-2022-22827, CVE-2022-23218, CVE-2022-23219, CVE-2022-23308, CVE-2022-23852, CVE-2022-24407, CVE-2022-24730, CVE-2022-24731, CVE-2022-25235, CVE-2022-25236, CVE-2022-25315
SHA-256 | a3aa6dabb32b90d59c78082f139db0780896fec7f29703a5c21de22ea3a9a54a
Red Hat Security Advisory 2022-1040-01
Posted Mar 24, 2022
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2022-1040-01 - Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications. Issues addressed include privilege escalation and traversal vulnerabilities.

tags | advisory, vulnerability
systems | linux, redhat
advisories | CVE-2022-1025, CVE-2022-24730, CVE-2022-24731
SHA-256 | 8585975b6b8703271e6071314b4fb1c73d4b84f1a0f532c60be866e36b89a090
Red Hat Security Advisory 2022-1041-01
Posted Mar 24, 2022
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2022-1041-01 - Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications. Issues addressed include privilege escalation and traversal vulnerabilities.

tags | advisory, vulnerability
systems | linux, redhat
advisories | CVE-2021-23177, CVE-2021-31566, CVE-2021-3999, CVE-2021-45960, CVE-2021-46143, CVE-2022-0261, CVE-2022-0318, CVE-2022-0359, CVE-2022-0361, CVE-2022-0392, CVE-2022-0413, CVE-2022-1025, CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2022-22825, CVE-2022-22826, CVE-2022-22827, CVE-2022-23218, CVE-2022-23219, CVE-2022-23308, CVE-2022-23852, CVE-2022-24407, CVE-2022-24730, CVE-2022-24731, CVE-2022-25235, CVE-2022-25236
SHA-256 | 6445fba90799b01b872171494589c69dffa5557ff9ffa53f46f79a6cee9831a2
Red Hat Security Advisory 2022-1042-01
Posted Mar 24, 2022
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2022-1042-01 - Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications. Issues addressed include privilege escalation and traversal vulnerabilities.

tags | advisory, vulnerability
systems | linux, redhat
advisories | CVE-2020-25709, CVE-2020-25710, CVE-2021-23177, CVE-2021-31566, CVE-2021-3999, CVE-2021-45960, CVE-2021-46143, CVE-2022-0261, CVE-2022-0318, CVE-2022-0359, CVE-2022-0361, CVE-2022-0392, CVE-2022-0413, CVE-2022-0811, CVE-2022-1025, CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2022-22825, CVE-2022-22826, CVE-2022-22827, CVE-2022-23218, CVE-2022-23219, CVE-2022-23308, CVE-2022-23852, CVE-2022-24407, CVE-2022-24730
SHA-256 | 5265a1937f32a43b20d3f66c08e5c5c57fd157ff3cf351d7f38e42467527af1a
Page 1 of 1
Back1Next

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close