Apiiro’s Security Research team disclosed that open source developer tool for Kubernetes, Argo CD has a zero-day vulnerability with “high” severity rating.
Argo CD is the popular open source Continuous Delivery platform, which enables attackers to access sensitive information such as secrets, passwords, and API keys. It manages and orchestrates the execution and monitoring of application deployment post-integration.
The major software supply chain 0-day vulnerability (CVE-2022-24348) allows malicious actors to load a Kubernetes Helm Chart YAML file to the vulnerability and “hop” from their application ecosystem to other applications’ data outside of the user’s scope.
The actors can read and exfiltrate secrets, tokens, and other sensitive information residing on other applications. This attack impacts privilege escalation, sensitive information disclosure, lateral movement attacks, and more.
Although Argo CD contributors were aware of this weak point in 2019 and implemented an anti-path-traversal mechanism, a bug in the control allows for exploitation of this vulnerability.
The team lists the impact of the vulnerability in two-folds. First, there are the direct implications of contents read from other files present on the reposerver, which can contain sensitive information which can impact an organisation.
Secondly, because application files usually contain an assortment of transitive values of secrets, tokens, and environmental sensitive settings – this can effectively be used by the attacker to further expand their campaign by moving laterally through different services and escalating their privileges to gain more ground on the system and target organisation’s resources.
The advisory from the GitHub urges users of Argo CD to update their installation to one of the fixed versions.
