An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS02Z2NnLWhwMngtcTU0aM4AAgdM

Symlink following allows leaking out-of-bound manifests and JSON files from Argo CD repo-server


All unpatched versions of Argo CD starting with v0.7.0 are vulnerable to a symlink following bug allowing a malicious user with repository write access to leak sensitive files from Argo CD's repo-server.

A malicious Argo CD user with write access for a repository which is (or may be) used in a directory-type Application may commit a symlink which points to an out-of-bounds file.

Sensitive files which could be leaked include manifest files from other Applications' source repositories (potentially decrypted files, if you are using a decryption plugin) or any JSON-formatted secrets which have been mounted as files on the repo-server.


A patch for this vulnerability has been released in the following Argo CD versions:



Best practices which can mitigate risk


This vulnerability was originally discovered as part of the Trail of Bits audit, published March 12, 2021. The behavior was left unchanged at the time.

The vulnerability was independently re-discovered by @crenshaw-dev, who contributed the patch. A security audit by Ada Logics independently followed up on the Trail of Bits report around the same time.


For more information

Open an issue in the Argo CD issue tracker or discussions Join us on Slack in channel #argo-cd

Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 1 year ago
Updated: 8 months ago

CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Identifiers: GHSA-6gcg-hp2x-q54h, CVE-2022-24904

Affected Packages
Versions: >= 2.3.0, < 2.3.4, >= 2.2.0, < 2.2.9, < 2.1.15
Fixed in: 2.3.4, 2.2.9, 2.1.15