Improper Link Resolution Before File Access ('Link Following')
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.7.0 through 2.1.14, 2.2.0-rc1 through 2.2.8-1, 2.3.0-rc1 through 2.3.3, and 2.4.0-rc1 is vulnerable to a symlink following bug allowing a malicious user with repository write access to leak sensitive files from Argo CD's repo-server. A malicious Argo CD user with write access for a repository which is (or may be) used in a directory-type Application may commit a symlink which points to an out-of-bounds file. Sensitive files which could be leaked include manifest files from other Applications source repositories (potentially decrypted files, if you are using a decryption plugin) or any JSON-formatted secrets which have been mounted as files on the repo-server. Users of versions 2.3.0 or above who do not have any Jsonnet/directory-type Applications may disable the Jsonnet/directory config management tool as a workaround.
CWE-59 - Improper Link Resolution Before File Access
'Improper link resolution before file access' occurs when software accesses a file resource but fails to verify that the file isn't a link or shortcut to another file. An attacker can potentially gain access to arbitrary files and from there the impact can vary, depending on the application, from sensitive data exposure to remote code execution.