HomeUpdateThis bug found in Argo CD tool can steal your sensitive data

This bug found in Argo CD tool can steal your sensitive data

-

Last Updated on 11/02/2022 by Nidhi Khandelwal

After a zero-day vulnerability was discovered in the Argo continuous deployment (CD) tool for Kubernetes, users are being advised to push through fixes. The vulnerability might allow an attacker to extract sensitive information such as passwords and API keys.

This bug found in Argo CD tool can steal your sensitive data 1

The bug, dubbed CVE-2022-24348 (CVSS 7.7), affects all versions and was fixed in versions 2.3.0, 2.2.4, and 2.1.9. On January 30, 2022s, Apiiro, a cloud security startup, was credited with detecting and reporting the flaw.

Continuous deployment, also known as continuous delivery, is a procedure for automatically deploying all code changes to the testing and/or production environments after they have been thoroughly tested and merged into a central repository.

Alibaba Group, BMW Group, Deloitte, Gojek, IBM, Intuit, LexisNexis, Red Hat, Skyscanner, Swisscom, and Ticketmaster are among the 191 companies that use Argo CD.

According to Moshe Zioni, Apiiro’s VP of security research, the path-traversal vulnerability “allows bad actors to load a Kubernetes Helm Chart YAML file to the vulnerability and ‘hop’ from their application ecosystem to other applications’ data outside of the user’s scope.”

This bug found in Argo CD tool can steal your sensitive data 2

Malicious Kubernetes Helm Chart YAML files, which specify a set of Kubernetes resources necessary to launch an application, can be loaded onto the target system by bad actors, allowing them to retrieve confidential information from other apps.

Successfully exploiting the flaw could result in catastrophic implications ranging from privilege escalation and sensitive data disclosure to lateral movement attacks and token exfiltration from other applications.

Nidhi Khandelwal
Nidhi Khandelwal
Nidhi is a tech news/research contributor at TheDigitalHacker. She publishes about techno geopolitics, privacy, and data breach.
- Advertisment -[the_ad id="13487"]

Must Read