GHSA-prqf-xr2j-xf65

Suggest an improvement
Source
https://github.com/advisories/GHSA-prqf-xr2j-xf65
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-prqf-xr2j-xf65/GHSA-prqf-xr2j-xf65.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-prqf-xr2j-xf65
Aliases
Published
2021-08-23T19:41:41Z
Modified
2024-08-21T14:57:07.346958Z
Summary
Potential privilege escalation on Kubernetes >= v1.19 when the Argo Sever is run with `--auth-mode=client`
Details

Impact

This is pro-active fix. No know exploits exist.

Impacted:

  • You're running Kubernetes >= v1.19
  • You're running Argo Server
  • It is configured to with --auth-mode=client
  • Is not configured with --auth-mode=server
  • You are not running Argo Server in Kubernetes pod. E.g. on bare metal or other VM.
  • You're using client key to authenticate on the server.
  • The server has more permissions that the connecting client's account.

The client's authentication will be ignored and the server's authentication will be used. This will result in privilege escalation to that of the the server's account.

Patches

https://github.com/argoproj/argo-workflows/pull/6506

Workarounds

None.

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-285"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-23T17:05:11Z"
}
References

Affected packages

Go / github.com/argoproj/argo-workflows/v3

Package

Name
github.com/argoproj/argo-workflows/v3
View open source insights on deps.dev
Purl
pkg:golang/github.com/argoproj/argo-workflows/v3

Affected ranges

Type
SEMVER
Events
Introduced
3.0.0
Fixed
3.0.9

Go / github.com/argoproj/argo-workflows/v3

Package

Name
github.com/argoproj/argo-workflows/v3
View open source insights on deps.dev
Purl
pkg:golang/github.com/argoproj/argo-workflows/v3

Affected ranges

Type
SEMVER
Events
Introduced
3.1.0
Fixed
3.1.6