Argo Workflows Chart is used to set up argo and its needed dependencies through one command. Prior to 0.44.0, the workflow-role has excessive privileges, the worst being create pods/exec, which will allow kubectl exec into any Pod in the same namespace, i.e. arbitrary code execution within those Pods. If a user can be made to run a malicious template, their whole namespace can be compromised. This affects versions of the argo-workflows Chart that use appVersion: 3.4 and above, which no longer need these permissions for the only available Executor, Emissary. It could also affect users below 3.4 depending on their choice of Executor in those versions. This only affects the Helm Chart and not the upstream manifests. This vulnerability is fixed in 0.44.0.
Metrics
Affected Vendors & Products
References
History
Thu, 21 Nov 2024 21:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Argoproj
Argoproj argo-helm |
|
CPEs | cpe:2.3:a:argoproj:argo-helm:*:*:*:*:*:*:*:* | |
Vendors & Products |
Argoproj
Argoproj argo-helm |
|
Metrics |
ssvc
|
Thu, 21 Nov 2024 17:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Argo Workflows Chart is used to set up argo and its needed dependencies through one command. Prior to 0.44.0, the workflow-role has excessive privileges, the worst being create pods/exec, which will allow kubectl exec into any Pod in the same namespace, i.e. arbitrary code execution within those Pods. If a user can be made to run a malicious template, their whole namespace can be compromised. This affects versions of the argo-workflows Chart that use appVersion: 3.4 and above, which no longer need these permissions for the only available Executor, Emissary. It could also affect users below 3.4 depending on their choice of Executor in those versions. This only affects the Helm Chart and not the upstream manifests. This vulnerability is fixed in 0.44.0. | |
Title | Argo Workflows Chart: Excessive Privileges in Workflow Role | |
Weaknesses | CWE-1220 CWE-250 |
|
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2024-11-21T17:02:01.525Z
Updated: 2024-11-21T20:48:51.507Z
Reserved: 2024-11-15T17:11:13.440Z
Link: CVE-2024-52799
Vulnrichment
Updated: 2024-11-21T20:44:15.708Z
NVD
Status : Received
Published: 2024-11-21T17:15:24.220
Modified: 2024-11-21T17:15:24.220
Link: CVE-2024-52799
Redhat
No data.