Derek Wang

**Name of the Vulnerable Software and Affected Versions** github.com/argoproj/argo-events/sensors/artifacts versions prior to 1.7.1 **Description** The issue concerns a Directory Traversal vulnerability in the `GitArtifactReader` component, specifically in the `(g *GitArtifactReader).Read()` API. This could allow arbitrary file reads if the `GitArtifactReader` is provided a pathname containing a symbolic link or an implicit directory name such as `../`. The vulnerability arises because no checks are made on the file at read time, which could lead an attacker to read files anywhere on the system by using symbolic links or putting `../` in the path. **Recommendations** For versions prior to 1.7.1, update to version 1.7.1 to resolve the issue. As a temporary workaround, consider restricting access to the `GitArtifactReader` component or avoiding the use of pathnames that could be exploited for directory traversal until the update is applied.