Table of Contents
  • Home
  • /
  • Blog
  • /
  • How To Fix CVE-2022-24348- A Path Traversal Vulnerability In Argo CD
February 8, 2022
|
3m

How To Fix CVE-2022-24348- A Path Traversal Vulnerability In Argo CD


How To Fix Cve 2022 24348 A Path Traversal Vulnerability In Argo Cd

A security researcher from Apiiro has uncovered a new 0-day vulnerability in Argo CD. This new path traversal vulnerability in Argo CD (CVE-2022-24348) allows attackers to exfiltrate sensitive information such as passwords and API keys from Kubernetes applications. Access to this sensitive information may give a safe way to carry out cyberattacks such as privilege escalation, sensitive information disclosure, and lateral movement. It is worth reading this post to know how to fix CVE-2022-24348- A Path Traversal Vulnerability in Argo CD

What Is Argo CD (Continuous Deployment) Platform?

Argo CD is a continuous deployment platform for Kubernetes, which allows automatic deployments of all code changes to the development environment. TechWorld with Nana has created an awesome video to help people learn about Argo CD. Since this project is gaining a lot of popularity in the DevOps landscape, we can see there is a rise in the list of companies who opt for this platform in their development ecosystem.

Summary Of CVE-2022-24348- A Path Traversal Vulnerability In Argo CD:

The report says that the successful exploitation of the CVE-2022-24348 vulnerability will allow an attacker to load a Kubernetes Helm Chart YAML file to the vulnerability and hop from their application ecosystem to other applications data outside of the users scope. This gives attackers to access and exfiltrate sensitive information such as secrets, tokens, passwords, and API keys from the Kubernetes applications. Attackers could use these sensitive information to commit more cyberattacks such as privilege escalation, sensitive information disclosure, lateral movement attacks, and more.

Associated CVE IDCVE-2022-24348
DescriptionA Path Traversal Vulnerability in Argo CD
Associated ZDI ID
CVSS Score7.7 Medium
VectorCVSS: 3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Impact Score
Exploitability Score
Attack Vector (AV)Network
Attack Complexity (AC)Low
Privilege Required (PR)Low
User Interaction (UI)None
ScopeChanged
Confidentiality (C)High
Integrity (I)None
availability (a)None

How To Fix CVE-2022-24348- A Path Traversal Vulnerability In Argo CD?

The CVE-2022-24348 vulnerability affects all versions of Argo, to address this, Argo rolled out new version with fix. All the users are urged to upgrade to these versions to fix CVE-2022-24348 vulnerability A Path Traversal Vulnerability in Argo CD.

  • v2.3.0

  • v2.2.4

  • v2.1.9

Upgradation to these versions are the only available method to fix CVE-2022-24348 vulnerability since there are no workaround for this issue.

How To Upgrade Argo CD?

Step 1. See the latest Argo CD release

See the latest Argo CD release

Step 2. Read upgrade notes

Read the documentation to learn the upgrade procedure.

Step 3. Upgrade Argo CD

Update the Argo CD configuration to point the latest version. It will then sync and upgrade itself as soon as it notices the change to the repository.

Step 4. Upgrade manually if it fails

If the upgrade fails, you may need to manually apply the Argo CD configuration.

$ kubectl apply -k deployments/argo-cd/kustomization.yaml

We hope this post would help you know about How to Fix CVE-2022-24348- A Path Traversal Vulnerability in Argo CD. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page in Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this. 

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Application Security

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.

Tools

Featured

View All

Learn Something New with Free Email subscription

Subscribe

Subscribe