GHSA-rc7p-gmvh-xfx2

Suggest an improvement
Source
https://github.com/advisories/GHSA-rc7p-gmvh-xfx2
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-rc7p-gmvh-xfx2/GHSA-rc7p-gmvh-xfx2.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-rc7p-gmvh-xfx2
Published
2021-08-02T17:19:52Z
Modified
2021-08-02T17:18:32Z
Summary
Attack on Kubernetes via Misconfigured Argo Workflows
Details

Impact

Users running using the Argo Server with --auth-mode=server (which is the default < v3.0.0) AND have exposed their UI to the Internet may allow remote users to execute arbitrary code on their cluster, e.g. crypto-mining.

Resolution

  • Do not expose your user interface to the Internet.
  • Change configuration. --auth-mode=client.

For users using an older 2.x version of Argo Server, consider upgrading to Argo Server version 3.x or later.

Database specific 
{
    "nvd_published_at": null,
    "cwe_ids": [],
    "github_reviewed_at": "2021-07-22T20:25:42Z",
    "severity": "MODERATE",
    "github_reviewed": true
}
References

Affected packages

Go / github.com/argoproj/argo-workflows

Package

Name
github.com/argoproj/argo-workflows
View open source insights on deps.dev
Purl
pkg:golang/github.com/argoproj/argo-workflows

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-rc7p-gmvh-xfx2/GHSA-rc7p-gmvh-xfx2.json"
last_known_affected_version_range 
"< 3.0.0"