A zero-day vulnerability in Kubernetes development tool Argo lets malicious people steal passwords from git-crypt and other sensitive information by simply uploading a crafted Helm chart.
Tracked as CVE-2022-24438 with CVSS v3.0 score of 7.7, exists in Argo CD, patched versions available from the project’s maintainers are 2.19, 2.2.4 and 2.3.0. Redhat’s openshift project a main consumer of Argo CD
To craft special Helm chart packages containing value files that are actually symbolic links, pointing arbitrary files outside the repository’s root directory. The impact become critical in environments that make use of encrypted value files containing sensitive or confidential data, and decrypt these secrets to disk before rendering the Helm chart.
While finding a way of making an Argo URI parser accept a local file-path and confuse it to be a URI, and use that confusion to skip the whole cleanup and anti-path-traversal mechanism check. Argo CD were aware of this in 2019 and implemented an anti-path-traversal mechanism, a bug in the control [sic] allows for exploitation of this vulnerability.
Apiiro deduced that Argo CD’s URI parser always treats URI-formatted strings as having been sanitised earlier in the application’s workflow. Using a crafted Helm chart to pass it absolute file paths in URI format would therefore allow an attacker to sidestep Argo CD’s file path traversal prevention mechanism.
Supply chain attacks went big over the last year as criminals and nation states leapt on the idea of compromising widely used software suites. While the product owners come up with a solution, best update your installations to one of the fixed versions, as there is no workaround for this issue.