CVE-2022-24348 - OpenCVE

Argo CD before 2.1.9 and 2.2.x before 2.2.4 allows directory traversal related to Helm charts because of an error in helmTemplate in repository.go. For example, an attacker may be able to discover credentials stored in a YAML file.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Argoproj	Argo Cd
Redhat	Openshift Gitops

Configuration 1 [-]

OR	cpe:2.3:a:argoproj:argo_cd::::::::
	cpe:2.3:a:argoproj:argo_cd::::::::

Package	CPE	Advisory	Released Date
Red Hat OpenShift GitOps 1.2
openshift-gitops-1/applicationset-rhel8:v1.2.2-3	cpe:/a:redhat:openshift_gitops:1.2::el8	RHSA-2022:0580	2022-02-17T00:00:00Z
openshift-gitops-1/argocd-rhel8:v1.2.2-2	cpe:/a:redhat:openshift_gitops:1.2::el8	RHSA-2022:0580	2022-02-17T00:00:00Z
openshift-gitops-1/gitops-operator-bundle:v1.2.2-5	cpe:/a:redhat:openshift_gitops:1.2::el8	RHSA-2022:0580	2022-02-17T00:00:00Z
openshift-gitops-1/gitops-rhel8:v1.2.2-3	cpe:/a:redhat:openshift_gitops:1.2::el8	RHSA-2022:0580	2022-02-17T00:00:00Z
openshift-gitops-1/gitops-rhel8-operator:v1.2.2-3	cpe:/a:redhat:openshift_gitops:1.2::el8	RHSA-2022:0580	2022-02-17T00:00:00Z
openshift-gitops-1/kam-delivery-rhel8:v1.2.2-3	cpe:/a:redhat:openshift_gitops:1.2::el8	RHSA-2022:0580	2022-02-17T00:00:00Z
Red Hat OpenShift GitOps 1.3
openshift-gitops-1/applicationset-rhel8:v1.3.3-2	cpe:/a:redhat:openshift_gitops:1.3::el8	RHSA-2022:0476	2022-02-08T00:00:00Z
openshift-gitops-1/argocd-rhel8:v1.3.3-2	cpe:/a:redhat:openshift_gitops:1.3::el8	RHSA-2022:0476	2022-02-08T00:00:00Z
openshift-gitops-1/dex-rhel8:v1.3.3-2	cpe:/a:redhat:openshift_gitops:1.3::el8	RHSA-2022:0476	2022-02-08T00:00:00Z
openshift-gitops-1/gitops-operator-bundle:v1.3.3-2	cpe:/a:redhat:openshift_gitops:1.3::el8	RHSA-2022:0476	2022-02-08T00:00:00Z
openshift-gitops-1/gitops-rhel8:v1.3.3-2	cpe:/a:redhat:openshift_gitops:1.3::el8	RHSA-2022:0476	2022-02-08T00:00:00Z
openshift-gitops-1/gitops-rhel8-operator:v1.3.3-2	cpe:/a:redhat:openshift_gitops:1.3::el8	RHSA-2022:0476	2022-02-08T00:00:00Z
openshift-gitops-1/kam-delivery-rhel8:v1.3.3-2	cpe:/a:redhat:openshift_gitops:1.3::el8	RHSA-2022:0476	2022-02-08T00:00:00Z
openshift-gitops-1/applicationset-rhel8:v1.3.4-1	cpe:/a:redhat:openshift_gitops:1.3::el8	RHSA-2022:0682	2022-02-25T00:00:00Z
openshift-gitops-1/argocd-rhel8:v1.3.4-1	cpe:/a:redhat:openshift_gitops:1.3::el8	RHSA-2022:0682	2022-02-25T00:00:00Z
openshift-gitops-1/dex-rhel8:v1.3.4-1	cpe:/a:redhat:openshift_gitops:1.3::el8	RHSA-2022:0682	2022-02-25T00:00:00Z
openshift-gitops-1/gitops-operator-bundle:v1.3.4-1	cpe:/a:redhat:openshift_gitops:1.3::el8	RHSA-2022:0682	2022-02-25T00:00:00Z
openshift-gitops-1/gitops-rhel8:v1.3.4-1	cpe:/a:redhat:openshift_gitops:1.3::el8	RHSA-2022:0682	2022-02-25T00:00:00Z
openshift-gitops-1/gitops-rhel8-operator:v1.3.4-1	cpe:/a:redhat:openshift_gitops:1.3::el8	RHSA-2022:0682	2022-02-25T00:00:00Z
openshift-gitops-1/kam-delivery-rhel8:v1.3.4-1	cpe:/a:redhat:openshift_gitops:1.3::el8	RHSA-2022:0682	2022-02-25T00:00:00Z
Red Hat OpenShift GitOps 1.4
openshift-gitops-1/applicationset-rhel8:v1.4.2-3	cpe:/a:redhat:openshift_gitops:1.4::el8	RHSA-2022:0477	2022-02-08T00:00:00Z
openshift-gitops-1/argocd-rhel8:v1.4.2-3	cpe:/a:redhat:openshift_gitops:1.4::el8	RHSA-2022:0477	2022-02-08T00:00:00Z
openshift-gitops-1/dex-rhel8:v1.4.2-3	cpe:/a:redhat:openshift_gitops:1.4::el8	RHSA-2022:0477	2022-02-08T00:00:00Z
openshift-gitops-1/gitops-operator-bundle:v1.4.2-3	cpe:/a:redhat:openshift_gitops:1.4::el8	RHSA-2022:0477	2022-02-08T00:00:00Z
openshift-gitops-1/gitops-rhel8:v1.4.2-3	cpe:/a:redhat:openshift_gitops:1.4::el8	RHSA-2022:0477	2022-02-08T00:00:00Z
openshift-gitops-1/gitops-rhel8-operator:v1.4.2-3	cpe:/a:redhat:openshift_gitops:1.4::el8	RHSA-2022:0477	2022-02-08T00:00:00Z
openshift-gitops-1/kam-delivery-rhel8:v1.4.2-3	cpe:/a:redhat:openshift_gitops:1.4::el8	RHSA-2022:0477	2022-02-08T00:00:00Z

References

Link	Providers
https://apiiro.com/blog/malicious-kubernetes-helm-charts-can-be-used-to-steal-sensitive-information-from-argo-cd-deployments/
https://github.com/argoproj/argo-cd/security/advisories/GHSA-63qx-x74g-jcr7
https://nvd.nist.gov/vuln/detail/CVE-2022-24348
https://www.cve.org/CVERecord?id=CVE-2022-24348

History

Wed, 07 Aug 2024 16:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Argoproj Argoproj argo Cd
CPEs	cpe:2.3:a:linuxfoundation:argo-cd::::::::	cpe:2.3:a:argoproj:argo_cd::::::::
Vendors & Products	Linuxfoundation Linuxfoundation argo-cd	Argoproj Argoproj argo Cd

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-02-04T20:26:21

Updated: 2024-08-03T04:07:02.386Z

Reserved: 2022-02-02T00:00:00

Link: CVE-2022-24348

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-02-04T21:15:08.103

Modified: 2024-08-07T15:43:51.540

Link: CVE-2022-24348

Redhat

Severity : Important

Publid Date: 2022-02-04T14:07:00Z

Links: CVE-2022-24348 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object