Argo CD, a tool for continuous delivery in Kubernetes environments, contains a critical vulnerability that allows authentication data to be stolen. The vulnerability was discovered by security experts at Apiiro.
Apiiro found a zero-day vulnerability (CVE-2022-24348) in Argo CD. Authentication data such as passwords, secrets and API keys can be compromised. Developers use the Argo CD platform for Kubernetes to automate GitHub deployments and monitor app states, among other things.
The hackers attacked the tool by loading a malicious Kubernetes Helm Chart YAML file. A Helm Chart YAML file contains several ‘fields’ that specify the various required resources and configurations needed to deploy an application in Kubernetes.
Open source software under fire
This is far from the first time that important and frequently used open source software has been affected. Various vulnerabilities are still being discovered in Log4j. Virtually all major Linux distros were found to be vulnerable recently.
Meanwhile, the Open Source Security Foundation has announced the Alpha Omega Project to improve the open source software supply chain. Tech giants Microsoft and Google are supporting the project with a sum of over 4 million euros ($5 million).