A security researcher from Apiiro has uncovered a new 0-day vulnerability in Argo CD. This new path traversal vulnerability in Argo CD (CVE-2022-24348) allows attackers to exfiltrate sensitive information such as passwords and API keys from Kubernetes applications. Access to these sensitive information may give a safe way to carry out cyberattacks such as privilege escalation, sensitive information disclosure, and lateral movement. It is worth reading this post to know how to fix CVE-2022-24348- A Path Traversal Vulnerability in Argo CD
Table of Contents
What Is Argo CD (Continuous Deployment) Platform?
Argo CD is a continuous deployment platform for Kubernetes, which allows automatic deployments of all code changes to the development environment. TechWorld with Nana has created an awesome video to help people learn about Argo CD. Since this project is gaining a lot of popularity in the DevOps landscape, we can see there is a rise in the list of companies who opt for this platform in their development ecosystem.
Summary Of CVE-2022-24348- A Path Traversal Vulnerability In Argo CD:
The report says that the successful exploitation of CVE-2022-24348 vulnerability will allow an attacker to load a Kubernetes Helm Chart YAML file to the vulnerability and “hop” from their application ecosystem to other applications’ data outside of the user’s scope. This gives attackers to access and exfiltrate sensitive information such as secrets, tokens, passwords, and API keys from the Kubernetes applications. Attackers could use these sensitive information to commit more cyberattacks such as privilege escalation, sensitive information disclosure, lateral movement attacks, and more.
| Associated CVE ID | CVE-2022-24348 |
| Description | A Path Traversal Vulnerability in Argo CD |
| Associated ZDI ID | – |
| CVSS Score | 7.7 Medium |
| Vector | CVSS: 3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
| Impact Score | – |
| Exploitability Score | – |
| Attack Vector (AV) | Network |
| Attack Complexity (AC) | Low |
| Privilege Required (PR) | Low |
| User Interaction (UI) | None |
| Scope | Changed |
| Confidentiality (C) | High |
| Integrity (I) | None |
| availability (a) | None |
How To Fix CVE-2022-24348- A Path Traversal Vulnerability In Argo CD?
The CVE-2022-24348 vulnerability affects all versions of Argo, to address this, Argo rolled out new version with fix. All the users are urged to upgrade to these versions to fix CVE-2022-24348 vulnerability A Path Traversal Vulnerability in Argo CD.
- v2.3.0
- v2.2.4
- v2.1.9
Upgradation to these versions are the only available method to fix CVE-2022-24348 vulnerability since there are no workaround for this issue.
How To Upgrade Argo CD?
- See the latest Argo CD release
See the latest Argo CD release
- Read upgrade notes
Read the documentation to learn the upgrade procedure.
- Upgrade Argo CD
Update the Argo CD configuration to point the latest version. It will then sync and upgrade itself as soon as it notices the change to the repository.
- Upgrade manually if it fails
If the upgrade fails, you may need to manually apply the Argo CD configuration.
$ kubectl apply -k deployments/argo-cd/kustomization.yaml
We hope this post will help you know about How to Fix CVE-2022-24348- A Path Traversal Vulnerability in Argo CD. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page in Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.
原创文章,作者:ItWorker,如若转载,请注明出处:https://blog.ytso.com/270149.html