CVE-2022-24730

Name of the Vulnerable Software and Affected Versions Argo CD versions 1.3.0 through 2.1.10 Argo CD versions 2.2.0 through 2.2.5 Argo CD versions 2.3.0 and earlier, excluding 2.3.0 itself as it is a fixed version

Description The issue is related to a path traversal bug compounded by an improper access control bug in Argo CD, allowing a malicious user with read-only repository access to leak sensitive files from Argo CD's repo-server. A malicious Argo CD user who has been granted get access for a repository containing a Helm chart can craft an API request to the "/api/v1/repositories/{repo url}/appdetails" endpoint to leak the contents of out-of-bounds files from the repo-server. The malicious payload would reference an out-of-bounds file, and the contents of that file would be returned as part of the response. Sensitive files which could be leaked include files from other Applications' source repositories or any secrets which have been mounted as files on the repo-server.

Recommendations For Argo CD versions 1.3.0 through 2.1.10, update to version 2.1.11 or later. For Argo CD versions 2.2.0 through 2.2.5, update to version 2.2.6 or later. For Argo CD versions prior to 2.3.0, update to version 2.3.0 or later. As a temporary workaround, consider avoiding storing secrets in git, avoiding mounting secrets as files on the repo-server, avoiding decrypting secrets into files on the repo-server, and carefully limiting who has get access for repositories.