CVE-2022-25856

Name of the Vulnerable Software and Affected Versions github.com/argoproj/argo-events/sensors/artifacts versions prior to 1.7.1

Description The issue concerns a Directory Traversal vulnerability in the GitArtifactReader component, specifically in the (g *GitArtifactReader).Read() API. This could allow arbitrary file reads if the GitArtifactReader is provided a pathname containing a symbolic link or an implicit directory name such as ../. The vulnerability arises because no checks are made on the file at read time, which could lead an attacker to read files anywhere on the system by using symbolic links or putting ../ in the path.

Recommendations For versions prior to 1.7.1, update to version 1.7.1 to resolve the issue. As a temporary workaround, consider restricting access to the GitArtifactReader component or avoiding the use of pathnames that could be exploited for directory traversal until the update is applied.