Argo Workflows Chart is used to set up argo and its needed dependencies through one command. Prior to 0.44.0, the workflow-role has excessive privileges, the worst being create pods/exec, which will allow kubectl exec into any Pod in the same namespace, i.e. arbitrary code execution within those Pods. If a user can be made to run a malicious template, their whole namespace can be compromised. This affects versions of the argo-workflows Chart that use appVersion: 3.4 and above, which no longer need these permissions for the only available Executor, Emissary. It could also affect users below 3.4 depending on their choice of Executor in those versions. This only affects the Helm Chart and not the upstream manifests. This vulnerability is fixed in 0.44.0.
History

Thu, 21 Nov 2024 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Argoproj
Argoproj argo-helm
CPEs cpe:2.3:a:argoproj:argo-helm:*:*:*:*:*:*:*:*
Vendors & Products Argoproj
Argoproj argo-helm
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 21 Nov 2024 17:15:00 +0000

Type Values Removed Values Added
Description Argo Workflows Chart is used to set up argo and its needed dependencies through one command. Prior to 0.44.0, the workflow-role has excessive privileges, the worst being create pods/exec, which will allow kubectl exec into any Pod in the same namespace, i.e. arbitrary code execution within those Pods. If a user can be made to run a malicious template, their whole namespace can be compromised. This affects versions of the argo-workflows Chart that use appVersion: 3.4 and above, which no longer need these permissions for the only available Executor, Emissary. It could also affect users below 3.4 depending on their choice of Executor in those versions. This only affects the Helm Chart and not the upstream manifests. This vulnerability is fixed in 0.44.0.
Title Argo Workflows Chart: Excessive Privileges in Workflow Role
Weaknesses CWE-1220
CWE-250
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-11-21T17:02:01.525Z

Updated: 2024-11-21T20:48:51.507Z

Reserved: 2024-11-15T17:11:13.440Z

Link: CVE-2024-52799

cve-icon Vulnrichment

Updated: 2024-11-21T20:44:15.708Z

cve-icon NVD

Status : Received

Published: 2024-11-21T17:15:24.220

Modified: 2024-11-21T17:15:24.220

Link: CVE-2024-52799

cve-icon Redhat

No data.