Maybe someday there will a day when we don’t have a serious security problem to worry over, but that day is not today. In our latest headache, the cloud-native security company Apiiro’s Security Research team uncovered a nasty software supply chain zero-day vulnerability, CVE-2022-24348, in Argo CD, the popular open-source GitOps Continuous Delivery (CD) platform.
The problem is an oldie, but nasty path traversal bug. When abused, it enables arbitrary values files to be consumed by Helm charts. Adding insult to injury, an attacker can craft malicious Helm chart packages, which contain value files that are actually symbolic links, pointing to arbitrary files outside the repository’s root directory.