Last Updated on 11/02/2022 by Nidhi Khandelwal
After a zero-day vulnerability was discovered in the Argo continuous deployment (CD) tool for Kubernetes, users are being advised to push through fixes. The vulnerability might allow an attacker to extract sensitive information such as passwords and API keys.
The bug, dubbed CVE-2022-24348 (CVSS 7.7), affects all versions and was fixed in versions 2.3.0, 2.2.4, and 2.1.9. On January 30, 2022s, Apiiro, a cloud security startup, was credited with detecting and reporting the flaw.
Continuous deployment, also known as continuous delivery, is a procedure for automatically deploying all code changes to the testing and/or production environments after they have been thoroughly tested and merged into a central repository.
Alibaba Group, BMW Group, Deloitte, Gojek, IBM, Intuit, LexisNexis, Red Hat, Skyscanner, Swisscom, and Ticketmaster are among the 191 companies that use Argo CD.
According to Moshe Zioni, Apiiro’s VP of security research, the path-traversal vulnerability “allows bad actors to load a Kubernetes Helm Chart YAML file to the vulnerability and ‘hop’ from their application ecosystem to other applications’ data outside of the user’s scope.”
Malicious Kubernetes Helm Chart YAML files, which specify a set of Kubernetes resources necessary to launch an application, can be loaded onto the target system by bad actors, allowing them to retrieve confidential information from other apps.
Successfully exploiting the flaw could result in catastrophic implications ranging from privilege escalation and sensitive data disclosure to lateral movement attacks and token exfiltration from other applications.