Vulnerability-Lookup

GHSA-6C73-2V8X-QPVM

Vulnerability from github – Published: 2021-08-23 19:41 – Updated: 2021-08-23 17:02

Summary

Argo Server TLS requests could be forged by attacker with network access

Details

Impact

We are not aware of any exploits. This is a pro-active fix.

Impacted:

You are running Argo Server < v3.0 with --secure=true or >= v3.0 with --secure unspecified (note - running in secure mode is recommended regardless).
The attacker is within your network. If you expose Argo Server to the Internet then "your network" is "the Internet".

The Argo Server's keys are packaged within the image. They could be extracted and used to decrypt traffic, or forge requests.

Patches

https://github.com/argoproj/argo-workflows/pull/6540

Workarounds

Make sure that your Argo Server service or pod are not directly accessible outside of your cluster. Put TLS load balancer in front of it.

This was identified by engineers at Jetstack.io

Show details on source website

JSON

To clipboard Create KEV Entry

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-workflows/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.0.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-workflows/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.1.0"
            },
            {
              "fixed": "3.1.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-23T17:02:24Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nWe are not aware of any exploits. This is a pro-active fix.\n\nImpacted: \n\n* You are running Argo Server \u003c v3.0 with `--secure=true` or \u003e= v3.0 with `--secure` unspecified (note - running in secure mode is recommended regardless).\n* The attacker is within your network. If you expose Argo Server to the Internet then \"your network\" is \"the Internet\". \n\nThe Argo Server\u0027s keys are packaged within the image. They could be extracted and used to decrypt traffic, or forge requests.\n\n### Patches\n\nhttps://github.com/argoproj/argo-workflows/pull/6540\n\n### Workarounds\n\n* Make sure that your Argo Server service or pod are not directly accessible outside of your cluster. Put TLS load balancer in front of it.\n\nThis was identified by engineers at Jetstack.io",
  "id": "GHSA-6c73-2v8x-qpvm",
  "modified": "2021-08-23T17:02:24Z",
  "published": "2021-08-23T19:41:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-workflows/security/advisories/GHSA-6c73-2v8x-qpvm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Argo Server TLS requests could be forged by attacker with network access"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted