Source |
CVE Liste |
Identifiant |
4717093 |
Date de publication |
2022-05-20 14:15:09 (vue: 2022-05-20 17:10:48) |
Titre |
CVE-2022-24904 |
Texte |
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.7.0 and prior to versions 2.1.15m 2.2.9, and 2.3.4 is vulnerable to a symlink following bug allowing a malicious user with repository write access to leak sensitive files from Argo CD's repo-server. A malicious Argo CD user with write access for a repository which is (or may be) used in a directory-type Application may commit a symlink which points to an out-of-bounds file. Sensitive files which could be leaked include manifest files from other Applications' source repositories (potentially decrypted files, if you are using a decryption plugin) or any JSON-formatted secrets which have been mounted as files on the repo-server. A patch for this vulnerability has been released in Argo CD versions 2.3.4, 2.2.9, and 2.1.15. Users of versions 2.3.0 or above who do not have any Jsonnet/directory-type Applications may disable the Jsonnet/directory config management tool as a workaround. |
Notes |
|
Envoyé |
Oui |
Condensat |
15m 2022 24904 above access allowing any application applications are argo been bounds bug commit config continuous could cve declarative decrypted decryption delivery directory disable file files following formatted from gitops has have include json jsonnet/directory kubernetes leak leaked malicious management manifest may mounted not other out patch plugin points potentially prior released repo repositories repository secrets sensitive server source starting symlink tool type used user users using version versions vulnerability vulnerable which who workaround write |
Tags |
Tool
Vulnerability
|
Stories |
Uber
|
Move |
|