Apiiro, the leader in Cloud-Native Application Security, announced a major software supply chain zero-day vulnerability in Argo CD, the popular open source Continuous Delivery platform. The vulnerability enables attackers to access sensitive information such as secrets, passwords, and API keys, which can be used to escalate privileges and gain access to additional systems and resources.
The vulnerability (CVE-2022-24348), with a CVSS score of 7.7, allows malicious actors to load a Kubernetes Helm Chart YAML file to the vulnerability and “hop” from their application ecosystem to other applications’ data outside of the user’s scope. The actors can then read and exfiltrate data residing in other applications.
The impact of the vulnerability is two-fold:
- First, contents read from other files present on the reposerver may contain sensitive information.
- Second, an attacker can use secrets, tokens, and keys often found in application files to escalate privileges or gain a foothold on additional systems.
“Supply chain attacks will continue to accelerate and it’s essential that Security researchers focus on securing the modern, cloud-native SDLC,” commented Moshe Zioni, Apiiro’s VP of Security Research.
Apiiro worked closely with the Argo CD team, which resolved the vulnerability and alerted their users to upgrade immediately to the newly-released versions 2.1.9 and 2.2.4.
Additional technical details can be found here.
Apiiro helps security and development teams proactively remediate risk before releasing to the cloud. Apiiro is re-inventing risk remediation for Cloud-Native applications.