SCA: security update for github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2 (GHSA-q4w5-4gq2-98vm)

medium Tenable Cloud Security Plugin ID 417881

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting
with v1.3.0 are vulnerable to a symlink following bug allowing a malicious user with repository write
access to leak sensitive YAML files from Argo CD's repo-server. A malicious Argo CD user with write access
for a repository which is (or may be) used in a Helm-type Application may commit a symlink which points to
an out-of-bounds file. If the target file is a valid YAML file, the attacker can read the contents of that
file. Sensitive files which could be leaked include manifest files from other Applications' source
repositories (potentially decrypted files, if you are using a decryption plugin) or any YAML-formatted
secrets which have been mounted as files on the repo-server. Patches for this vulnerability has been
released in the following Argo CD versions: v2.4.1, v2.3.5, v2.2.10 and v2.1.16. If you are using a
version >=v2.3.0 and do not have any Helm-type Applications you may disable the Helm config management
tool as a workaround. (CVE-2022-31036)

See Also

https://github.com/advisories/GHSA-q4w5-4gq2-98vm

Plugin Details

Severity: Medium

ID: 417881

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS Score Source: CVE-2022-31036

CVSS v3

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 6/21/2022

Vulnerability Publication Date: 6/21/2022

Reference Information

CVE: CVE-2022-31036