Apiiro, the leader in Cloud-Native Application Security, today announced a major software supply chain zero-day vulnerability in Argo CD, the popular open source Continuous Delivery platform. The vulnerability enables attackers to access sensitive information such as secrets, passwords, and API keys, which can be used to escalate privileges and gain access to additional systems and resources.
The vulnerability (CVE-2022-24348), with a CVSS score of 7.7, allows malicious actors to load a Kubernetes Helm Chart YAML file to the vulnerability and “hop” from their application ecosystem to other applications’ data outside of the user’s scope. The actors can then read and exfiltrate data residing in other applications.
The impact of the vulnerability is two-fold:
- First, contents read from other files present on the reposerver may contain sensitive information.
- Second, an attacker can use secrets, tokens, and keys often found in application files to escalate privileges or gain a foothold on additional systems.
“Supply chain attacks will continue to accelerate and it’s essential that Security researchers focus on securing the modern, cloud-native SDLC,” commented Moshe Zioni, Apiiro’s VP of Security Research.
For more such updates follow us on Google News ITsecuritywire News