CVE-2022-24348 is a high-severity security vulnerability in Argo CD that could enable threat actors to access a victim’s application-development environments, making it possible to harvest passwords, API keys, tokens, among other sensitive details.
CVE-2022-24348 in Argo CD Needs Immediate Patching
The vulnerability was uncovered by Apiiro’s Security Research team. The researchers describe the flaw as “a major software supply chain 0-day vulnerability in Argo CD.” Argo CD is a popular open-source Continuous Delivery platform that manages the execution and monitoring of application deployment post-integration. The platform is used by thousands of organizations worldwide, highlighting the vulnerability’s impact.
The CVE-2022-24348 vulnerability could allow threat actors to load a Kubernetes Helm Chart YAML file and move from their application ecosystem to other applications’ data outside of the user’s scope, according to Apiiro’s report. Thanks to the flaw, hackers can read and exfiltrate various types of sensitive details in various attack scenarios, including privilege escalation, sensitive information disclosure, and lateral movement attacks.
“Although Argo CD contributors were aware of this weak point in 2019 and implemented an anti-path-traversal mechanism, a bug in the control allows for exploitation of this vulnerability,” the researchers noted.
“Because application files usually contain an assortment of transitive values of secrets, tokens and environmental sensitive settings – this can effectively be used by the attacker to further expand their campaign by moving laterally through different services and escalating their privileges to gain more ground on the system and target organization’s resources,” the report added.
If you’re an admin, you should apply the available Argo CD patch immediately.
Last year, the European Union Agency for Cybersecurity, shortly known as ENISA analyzed 24 recent attacks, discovered between January 2020 and early July 2021, to highlight the threat of software supply-chain attacks. Some of the attacks the agency analyzed include the cases of Kaseya, SolarWinds Orion software, CDN provider Mimecast, Codecov, Apple Xcode, Accellion.