• Home
  • |
  • Blog
  • |
  • How To Fix CVE-2022-24348- A Path Traversal Vulnerability In Argo CD
How to Fix CVE-2022-24348- A Path Traversal Vulnerability in Argo CD

A security researcher from Apiiro has uncovered a new 0-day vulnerability in Argo CD. This new path traversal vulnerability in Argo CD (CVE-2022-24348) allows attackers to exfiltrate sensitive information such as passwords and API keys from Kubernetes applications. Access to these sensitive information may give a safe way to carry out cyberattacks such as privilege escalation, sensitive information disclosure, and lateral movement. It is worth reading this post to know how to fix CVE-2022-24348- A Path Traversal Vulnerability in Argo CD

What Is Argo CD (Continuous Deployment) Platform?

Argo CD is a continuous deployment platform for Kubernetes, which allows automatic deployments of all code changes to the development environment. TechWorld with Nana has created an awesome video to help people learn about Argo CD. Since this project is gaining a lot of popularity in the DevOps landscape, we can see there is a rise in the list of companies who opt for this platform in their development ecosystem.

Summary Of CVE-2022-24348- A Path Traversal Vulnerability In Argo CD:

The report says that the successful exploitation of CVE-2022-24348 vulnerability will allow an attacker to load a Kubernetes Helm Chart YAML file to the vulnerability and “hop” from their application ecosystem to other applications’ data outside of the user’s scope. This gives attackers to access and exfiltrate sensitive information such as secrets, tokens, passwords, and API keys from the Kubernetes applications. Attackers could use these sensitive information to commit more cyberattacks such as privilege escalation, sensitive information disclosure, lateral movement attacks, and more.

Associated CVE IDCVE-2022-24348
DescriptionA Path Traversal Vulnerability in Argo CD
Associated ZDI ID
CVSS Score7.7 Medium
VectorCVSS: 3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Impact Score
Exploitability Score
Attack Vector (AV)Network
Attack Complexity (AC)Low
Privilege Required (PR)Low
User Interaction (UI)None
ScopeChanged
Confidentiality (C)High
Integrity (I)None
availability (a)None

How To Fix CVE-2022-24348- A Path Traversal Vulnerability In Argo CD?

The CVE-2022-24348 vulnerability affects all versions of Argo, to address this, Argo rolled out new version with fix. All the users are urged to upgrade to these versions to fix CVE-2022-24348 vulnerability A Path Traversal Vulnerability in Argo CD.

  • v2.3.0
  • v2.2.4
  • v2.1.9

Upgradation to these versions are the only available method to fix CVE-2022-24348 vulnerability since there are no workaround for this issue.

How To Upgrade Argo CD?

  1. See the latest Argo CD release

    See the latest Argo CD release

  2. Read upgrade notes

    Read the documentation to learn the upgrade procedure.

  3. Upgrade Argo CD

    Update the Argo CD configuration to point the latest version. It will then sync and upgrade itself as soon as it notices the change to the repository.

  4. Upgrade manually if it fails

    If the upgrade fails, you may need to manually apply the Argo CD configuration.

    $ kubectl apply -k deployments/argo-cd/kustomization.yaml

We hope this post will help you know about How to Fix CVE-2022-24348- A Path Traversal Vulnerability in Argo CD. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page in FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this. 

About the author

Arun KL

Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.