github.com/argoproj/argo-cd is vulnerable to path traversal. The vulnerability exists in the resolveSymbolicLinkRecursive
function of the repository.go
, which allows a malicious user with write and update permissions to craft malicious Helm chart and gain access to sensitive information in the system.
github.com/argoproj/argo-cd/commit/6e54e59e820e0b18c2890a47f2c80fbe989995d1
github.com/argoproj/argo-cd/pull/8606
github.com/argoproj/argo-cd/releases/tag/v2.1.11
github.com/argoproj/argo-cd/releases/tag/v2.2.6
github.com/argoproj/argo-cd/releases/tag/v2.3.0
github.com/argoproj/argo-cd/security/advisories/GHSA-h6h5-6fmq-rh28