CVE-2022-24904: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.7.0 and prior to versions 2.1.15m 2.2.9, and...

Description

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.7.0 and prior to versions 2.1.15m 2.2.9, and 2.3.4 is vulnerable to a symlink following bug allowing a malicious user with repository write access to leak sensitive files from Argo CD's repo-server. A malicious Argo CD user with write access for a repository which is (or may be) used in a directory-type Application may commit a symlink which points to an out-of-bounds file. Sensitive files which could be leaked include manifest files from other Applications' source repositories (potentially decrypted files, if you are using a decryption plugin) or any JSON-formatted secrets which have been mounted as files on the repo-server. A patch for this vulnerability has been released in Argo CD versions 2.3.4, 2.2.9, and 2.1.15. Users of versions 2.3.0 or above who do not have any Jsonnet/directory-type Applications may disable the Jsonnet/directory config management tool as a workaround.

Metrics

CVSS 3.1

4.3/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS Probability

1.05%

60.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Argoproj	Argo Cd	>= 0.7.0, < 2.1.15
Argoproj	Argo Cd	>= 2.2.0, < 2.2.9
Argoproj	Argo Cd	>= 2.3.0, < 2.3.4

References

https://github.com/argoproj/argo-cd/releases/tag/v2.1.15Release Notes, Third Party Advisory
https://github.com/argoproj/argo-cd/releases/tag/v2.2.9Release Notes, Third Party Advisory
https://github.com/argoproj/argo-cd/releases/tag/v2.3.4Release Notes, Third Party Advisory
https://github.com/argoproj/argo-cd/security/advisories/GHSA-6gcg-hp2x-q54hMitigation, Third Party Advisory
https://github.com/argoproj/argo-cd/releases/tag/v2.1.15Release Notes, Third Party Advisory
https://github.com/argoproj/argo-cd/releases/tag/v2.2.9Release Notes, Third Party Advisory
https://github.com/argoproj/argo-cd/releases/tag/v2.3.4Release Notes, Third Party Advisory
https://github.com/argoproj/argo-cd/security/advisories/GHSA-6gcg-hp2x-q54hMitigation, Third Party Advisory

Timeline

Published: May 20, 2022
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2022-24904?

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.7.0 and prior to versions 2.1.15m 2.2.9, and 2.3.4 is vulnerable to a symlink following bug allowing a malicious user with repository write access to leak sensitive files from Argo CD's repo-server. A malicious Argo CD user with write access for a repository which is (or may be) used in a directory-type Application may commit a symlink which points to an out-of-bounds file. Sensitive files which could be leaked include manifest files from other Applications' source repositories (potentially decrypted files, if you are using a decryption plugin) or any JSON-formatted secrets which have been mounted as files on the repo-server. A patch for this vulnerability has been released in Argo CD versions 2.3.4, 2.2.9, and 2.1.15. Users of versions 2.3.0 or above who do not have any Jsonnet/directory-type Applications may disable the Jsonnet/directory config management tool as a workaround.

How severe is CVE-2022-24904?

CVE-2022-24904 has a CVSS score of 4.3/10 (MEDIUM severity). The EPSS model estimates a 1.05% probability of exploitation in the next 30 days.

How do I fix CVE-2022-24904?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.