{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-40026", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-08-08T13:46:25.243Z", "datePublished": "2023-09-27T20:43:01.743Z", "dateUpdated": "2024-08-02T18:24:55.173Z"}, "containers": {"cna": {"title": "Path traversal allows leaking out-of-bound Helm charts from Argo CD repo-server", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6jqw-jwf5-rp8h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6jqw-jwf5-rp8h"}, {"name": "https://argo-cd.readthedocs.io/en/stable/operator-manual/installation/#supported-versions", "tags": ["x_refsource_MISC"], "url": "https://argo-cd.readthedocs.io/en/stable/operator-manual/installation/#supported-versions"}], "affected": [{"vendor": "argoproj", "product": "argo-cd", "versions": [{"version": "< 2.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-09-27T20:43:01.743Z"}, "descriptions": [{"lang": "en", "value": "Argo CD is a declarative continuous deployment framework for Kubernetes. In Argo CD versions prior to 2.3 (starting at least in v0.1.0, but likely in any version using Helm before 2.3), using a specifically-crafted Helm file could reference external Helm charts handled by the same repo-server to leak values, or files from the referenced Helm Chart. This was possible because Helm paths were predictable. The vulnerability worked by adding a Helm chart that referenced Helm resources from predictable paths. Because the paths of Helm charts were predictable and available on an instance of repo-server, it was possible to reference and then render the values and resources from other existing Helm charts regardless of permissions. While generally, secrets are not stored in these files, it was nevertheless possible to reference any values from these charts. This issue was fixed in Argo CD 2.3 and subsequent versions by randomizing Helm paths. User's still using Argo CD 2.3 or below are advised to update to a supported version. If this is not possible, disabling Helm chart rendering, or using an additional repo-server for each Helm chart would prevent possible exploitation."}], "source": {"advisory": "GHSA-6jqw-jwf5-rp8h", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:24:55.173Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6jqw-jwf5-rp8h", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6jqw-jwf5-rp8h"}, {"name": "https://argo-cd.readthedocs.io/en/stable/operator-manual/installation/#supported-versions", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://argo-cd.readthedocs.io/en/stable/operator-manual/installation/#supported-versions"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*", "matchCriteriaId": "D63E195F-F097-44AD-9A01-5B40C40A6426", "versionEndExcluding": "2.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Argo CD is a declarative continuous deployment framework for Kubernetes. In Argo CD versions prior to 2.3 (starting at least in v0.1.0, but likely in any version using Helm before 2.3), using a specifically-crafted Helm file could reference external Helm charts handled by the same repo-server to leak values, or files from the referenced Helm Chart. This was possible because Helm paths were predictable. The vulnerability worked by adding a Helm chart that referenced Helm resources from predictable paths. Because the paths of Helm charts were predictable and available on an instance of repo-server, it was possible to reference and then render the values and resources from other existing Helm charts regardless of permissions. While generally, secrets are not stored in these files, it was nevertheless possible to reference any values from these charts. This issue was fixed in Argo CD 2.3 and subsequent versions by randomizing Helm paths. User's still using Argo CD 2.3 or below are advised to update to a supported version. If this is not possible, disabling Helm chart rendering, or using an additional repo-server for each Helm chart would prevent possible exploitation."}, {"lang": "es", "value": "Argo CD es un framework continuo declarativo para Kubernetes. En las versiones de Argo CD anteriores a la 2.3 (a partir de al menos la v0.1.0, pero probablemente en cualquier versi\u00f3n que use Helm antes de la 2.3), el uso de un archivo Helm manipulado espec\u00edficamente podr\u00eda hacer referencia a gr\u00e1ficos Helm externos manejados por el mismo servidor de repositorio para filtrar valores, o archivos del Helm Chart al que se hace referencia. Esto fue posible porque los caminos de Helm eran predecibles. La vulnerabilidad funcion\u00f3 agregando un gr\u00e1fico de Helm que hac\u00eda referencia a los recursos de Helm desde rutas predecibles. Debido a que las rutas de los gr\u00e1ficos de Helm eran predecibles y estaban disponibles en una instancia de repositorio-servidor, era posible hacer referencia y luego representar los valores y recursos de otros gr\u00e1ficos de Helm existentes independientemente de los permisos. Si bien, generalmente los secretos no se almacenan en estos archivos, fue posible hacer referencia a cualquier valor de estos gr\u00e1ficos. Este problema se solucion\u00f3 en Argo CD 2.3 y versiones posteriores aleatorizando las rutas de Helm. Se recomienda a los usuarios que todav\u00eda utilizan Argo CD 2.3 o inferior que actualicen a una versi\u00f3n compatible. Si esto no es posible, deshabilitar la representaci\u00f3n de gr\u00e1ficos de Helm o utilizar un servidor de repositorio adicional para cada gr\u00e1fico de Helm evitar\u00eda una posible explotaci\u00f3n."}], "id": "CVE-2023-40026", "lastModified": "2024-08-07T15:43:51.540", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-09-27T21:15:09.713", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://argo-cd.readthedocs.io/en/stable/operator-manual/installation/#supported-versions"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6jqw-jwf5-rp8h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "argo-cd: path traversal allows leaking out-of-bound Helm charts from Argo CD repo-server", "id": "2241141", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2241141"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.0", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-22", "details": ["Argo CD is a declarative continuous deployment framework for Kubernetes. In Argo CD versions prior to 2.3 (starting at least in v0.1.0, but likely in any version using Helm before 2.3), using a specifically-crafted Helm file could reference external Helm charts handled by the same repo-server to leak values, or files from the referenced Helm Chart. This was possible because Helm paths were predictable. The vulnerability worked by adding a Helm chart that referenced Helm resources from predictable paths. Because the paths of Helm charts were predictable and available on an instance of repo-server, it was possible to reference and then render the values and resources from other existing Helm charts regardless of permissions. While generally, secrets are not stored in these files, it was nevertheless possible to reference any values from these charts. This issue was fixed in Argo CD 2.3 and subsequent versions by randomizing Helm paths. User's still using Argo CD 2.3 or below are advised to update to a supported version. If this is not possible, disabling Helm chart rendering, or using an additional repo-server for each Helm chart would prevent possible exploitation.", "A flaw was found in Argo CD. For any version using Helm, using a specially crafted Helm file could reference external Helm charts handled by the same repo-server to leak values or files from the referenced Helm Chart. This issue is possible because the Helm paths were predictable."], "mitigation": {"lang": "en:us", "value": "Disabling Helm chart rendering, or using an additional repo-server for each Helm chart would prevent possible exploitation."}, "name": "CVE-2023-40026", "package_state": [{"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "acm-cluster-templates-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "odf4/odr-rhel8-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Not affected", "package_name": "openshift-gitops-1/argocd-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Will not fix", "package_name": "openshift-gitops-1/gitops-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Not affected", "package_name": "openshift-gitops-1/gitops-rhel8-operator", "product_name": "Red Hat OpenShift GitOps"}], "public_date": "2023-09-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-40026\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-40026\nhttps://github.com/argoproj/argo-cd/security/advisories/GHSA-6jqw-jwf5-rp8h"], "threat_severity": "Moderate", "upstream_fix": "argo-cd 2.3"}