github.com/argoproj/argo-events is vulnerable to path traversal. The vulnerability exists because the readFromRepository
function of git.go
does not properly check whether the file at GitArtifactReader.artificat.FilePath
is a symbolic link before it is opened and read, allowing an attacker to access files outside the expected directory and reads the arbitrary files.