SCA: security update for github.com/argoproj/argo-cd (GHSA-h6h5-6fmq-rh28)

medium Tenable Self-Hosted Container Security Plugin ID 415524

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version
1.5.0 but before versions 2.1.11, 2.2.6, and 2.3.0 is vulnerable to a path traversal vulnerability,
allowing a malicious user with read/write access to leak sensitive files from Argo CD's repo-server. A
malicious Argo CD user who has been granted `create` or `update` access to Applications can leak the
contents of any text file on the repo-server. By crafting a malicious Helm chart and using it in an
Application, the attacker can retrieve the sensitive file's contents either as part of the generated
manifests or in an error message. The attacker would have to know or guess the location of the target
file. Sensitive files which could be leaked include files from another Application's source repositories
or any secrets which have been mounted as files on the repo-server. This vulnerability is patched in Argo
CD versions 2.1.11, 2.2.6, and 2.3.0. The problem can be mitigated by avoiding storing secrets in git,
avoiding mounting secrets as files on the repo-server, avoiding decrypting secrets into files on the repo-
server, and carefully limiting who can `create` or `update` Applications. (CVE-2022-24731)

See Also

https://github.com/advisories/GHSA-h6h5-6fmq-rh28

Plugin Details

Severity: Medium

ID: 415524

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS Score Source: CVE-2022-24731

CVSS v3

Risk Factor: Medium

Base Score: 4.9

Temporal Score: 4.3

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 3/24/2022

Vulnerability Publication Date: 3/23/2022

Reference Information

CVE: CVE-2022-24731