CVE-2022-24904

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-24904

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-24904.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-24904

Aliases

Published

2022-05-20T13:55:11Z

Modified

2025-12-04T09:42:46.321180Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Symlink following allows leaking out-of-bound manifests and JSON files from Argo CD repo-server

Details

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.7.0 and prior to versions 2.1.15m 2.2.9, and 2.3.4 is vulnerable to a symlink following bug allowing a malicious user with repository write access to leak sensitive files from Argo CD's repo-server. A malicious Argo CD user with write access for a repository which is (or may be) used in a directory-type Application may commit a symlink which points to an out-of-bounds file. Sensitive files which could be leaked include manifest files from other Applications' source repositories (potentially decrypted files, if you are using a decryption plugin) or any JSON-formatted secrets which have been mounted as files on the repo-server. A patch for this vulnerability has been released in Argo CD versions 2.3.4, 2.2.9, and 2.1.15. Users of versions 2.3.0 or above who do not have any Jsonnet/directory-type Applications may disable the Jsonnet/directory config management tool as a workaround.

Database specific

{
    "cwe_ids": [
        "CWE-59",
        "CWE-61"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/24xxx/CVE-2022-24904.json"
}

References

Affected packages

Git / github.com/argoproj/argo-cd

Affected ranges

Type

GIT

Repo

https://github.com/argoproj/argo-cd

Events

Introduced

6fc345f555dff62d232fe03bf17b8bf84d7f1b5d

Fixed

52f917a18165416baa418822daae36c5f011e91f

Database specific

{
    "versions": [
        {
            "introduced": "0.7.0"
        },
        {
            "fixed": "2.1.15"
        }
    ]
}

Type

GIT

Repo

https://github.com/argoproj/argo-cd

Events

Introduced

6da92a8e8103ce4145bb0fe2b7e952be79c9ff0a

Fixed

38755a4c1e5232aa2e6f80c062593c9f07da0757

Database specific

{
    "versions": [
        {
            "introduced": "2.2.0"
        },
        {
            "fixed": "2.2.9"
        }
    ]
}

Type

GIT

Repo

https://github.com/argoproj/argo-cd

Events

Introduced

fe427802293b090f43f91f5839393174df6c3b3a

Fixed

ac8b7df9467ffcc0920b826c62c4b603a7bfed24

Database specific

{
    "versions": [
        {
            "introduced": "2.3.0"
        },
        {
            "fixed": "2.3.4"
        }
    ]
}

Affected versions

v0.*

v0.7.0

v0.7.1

v0.8.0

v2.*

v2.1.0

v2.1.0-rc1

v2.1.0-rc2

v2.1.0-rc3

v2.1.1

v2.1.10

v2.1.11

v2.1.12

v2.1.13

v2.1.14

v2.1.2

v2.1.3

v2.1.4

v2.1.5

v2.1.6

v2.1.7

v2.1.8

v2.1.9

v2.2.0

v2.2.1

v2.2.2

v2.2.3

v2.2.4

v2.2.5

v2.2.6

v2.2.7

v2.2.8

v2.3.0

v2.3.1

v2.3.2

v2.3.3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-24904.json"