Résumé
CVE-2022-24348 was a high-severity (CVSS 7.7) path traversal vulnerability in Argo CD, the GitOps continuous delivery tool for Kubernetes, discovered by Apiiro and disclosed in early February 2022, affecting Argo CD before 2.1.9 and 2.2.x before 2.2.4. An attacker with permission to create or update Argo CD applications could craft a malicious Kubernetes Helm chart whose values file was a symbolic link pointing outside the repository root, or pass arbitrary values files, so that when Argo CD's Helm chart processing dereferenced the link it read files belonging to other applications on the repo server. This broke the multi-tenant isolation boundary of the CD layer, letting the attacker exfiltrate sensitive data from neighboring tenants, including secrets in encrypted value files decrypted to disk by plugins such as git-crypt or SOPS, and use verbose Helm error messages to enumerate the filesystem. The issue was fixed in Argo CD 2.1.9, 2.2.4, and 2.3.0; it was treated as a zero-day at disclosure but was not associated with named ransomware operators.
Comment l’éviter dans votre code
- Upgrade Argo CD to 2.1.9, 2.2.4, or 2.3.0 (or later) immediately.
- Restrict application create/update permissions to trusted operators only.
- Isolate tenants onto separate repo-server instances where strong isolation is required.
- Avoid storing decryptable secrets on the Argo CD repo-server filesystem.
- Rotate any secrets that may have been exposed via cross-tenant file reads.
Références
Vulnérabilités liées
Tout Supply chain →- HIGHGHSA-GCQ3-MFVH-3X25
PraisonAI Code agent tools fail open without a workspace boundary
- CRITICALSC-JENKINS-CLI-2024
CVE-2024-23897 was a critical arbitrary file read vulnerability in the Jenkins automation server, identified by Sonar's Vulnerability Research and disclosed in the Jenkins security advisory on January 24, 2024, affecting Jenkins weekly up to 2.441 and LTS up to 2.426.2. Jenkins parses built-in CLI command arguments with the args4j library, whose expandAtFiles feature is enabled by default and replaces an argument that begins with an @ character followed by a file path with the contents of that file; because Jenkins never disabled this, an attacker could pass @/path/to/file as a CLI argument to make the controller read and disclose files from its filesystem. Unauthenticated attackers could read the first few lines of arbitrary files, while attackers with Overall/Read permission could read entire files, enabling theft of secrets, SSH keys, and credentials. The leaked binary secret keys could then be chained into full remote code execution by forging Remember-me cookies, abusing Resource Root URLs, bypassing CSRF protection, or decrypting stored secrets. The flaw was added to the CISA KEV catalog on August 19, 2024 and was actively exploited, including by the RansomEXX ransomware gang and the actor IntelBroker, and was linked to breaches at BORN Group and Brontoo Technology Solutions.
- CRITICALGHSA-2JQ4-Q6VV-4CP3
Crawl4AI: Arbitrary file write (path traversal) in crawler downloads can lead to RCE
- CRITICALGHSA-HXPF-9XVQ-WPH8
netlicensing-mcp: REST Path Traversal Bypasses Token Redaction
- MEDIUMGHSA-FJV8-J4P5-CR9M
Daytona: Path traversal in sandbox volume id mounts arbitrary host paths into the sandbox — cross-tenant data access and host escape
- MEDIUMGHSA-4JVG-4JFX-FMHC
opentelemetry-collector-contrib sentryexporter: Path traversal in Sentry exporter via attacker-controlled service.name reaches privileged Sentry API endpoints with operator bearer token