CVE-2022-24904

Name of the Vulnerable Software and Affected Versions Argo CD versions 0.7.0 through 2.1.14 Argo CD versions 2.2.0 through 2.2.8 Argo CD versions 2.3.0 through 2.3.3

Description Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A malicious user with repository write access can leak sensitive files from Argo CD's repo-server due to a symlink following bug. This can include manifest files from other Applications' source repositories or any JSON-formatted secrets mounted as files on the repo-server. A malicious Argo CD user with write access for a repository which is (or may be) used in a directory-type Application may commit a symlink which points to an out-of-bounds file. Sensitive files which could be leaked include manifest files from other Applications' source repositories (potentially decrypted files, if you are using a decryption plugin) or any JSON-formatted secrets which have been mounted as files on the repo-server.

Recommendations For versions 0.7.0 through 2.1.14, upgrade to version 2.1.15 or later. For versions 2.2.0 through 2.2.8, upgrade to version 2.2.9 or later. For versions 2.3.0 through 2.3.3, upgrade to version 2.3.4 or later. As a temporary workaround for users of versions 2.3.0 or above who do not have any Jsonnet/directory-type Applications, consider disabling the Jsonnet/directory config management tool by setting jsonnet.enable to false. Restrict access to sensitive files and limit who has push access to manifest repositories. Limit who is allowed to configure new source repositories and restrict user access to only the necessary Projects. Avoid mounting JSON-formatted secrets as files on the repo-server.