Vulnerability-Lookup

GHSA-PRQF-XR2J-XF65

Vulnerability from github – Published: 2021-08-23 19:41 – Updated: 2021-08-23 17:05

Summary

Potential privilege escalation on Kubernetes >= v1.19 when the Argo Sever is run with `--auth-mode=client`

Details

Impact

This is pro-active fix. No know exploits exist.

Impacted:

You're running Kubernetes >= v1.19
You're running Argo Server
It is configured to with --auth-mode=client
Is not configured with --auth-mode=server
You are not running Argo Server in Kubernetes pod. E.g. on bare metal or other VM.
You're using client key to authenticate on the server.
The server has more permissions that the connecting client's account.

The client's authentication will be ignored and the server's authentication will be used. This will result in privilege escalation to that of the the server's account.

Patches

https://github.com/argoproj/argo-workflows/pull/6506

Workarounds

None.

Show details on source website

JSON

To clipboard Create KEV Entry

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-workflows/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.0.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-workflows/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.1.0"
            },
            {
              "fixed": "3.1.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-285"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-23T17:05:11Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Impact\n\nThis is pro-active fix. No know exploits exist. \n\nImpacted:\n\n* You\u0027re running Kubernetes \u003e= v1.19\n* You\u0027re running Argo Server\n* It is configured to with `--auth-mode=client`\n* Is not configured with `--auth-mode=server`\n* You are not running Argo Server in Kubernetes pod. E.g. on bare metal or other VM.\n* You\u0027re using client key to authenticate on the server. \n* The server has more permissions that the connecting client\u0027s account.\n\nThe client\u0027s authentication will be ignored and the server\u0027s authentication will be used. This will result in privilege escalation to that of the the server\u0027s account.\n\n### Patches\n\nhttps://github.com/argoproj/argo-workflows/pull/6506\n\n### Workarounds\n\nNone.",
  "id": "GHSA-prqf-xr2j-xf65",
  "modified": "2021-08-23T17:05:11Z",
  "published": "2021-08-23T19:41:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-workflows/security/advisories/GHSA-prqf-xr2j-xf65"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Potential privilege escalation on Kubernetes \u003e= v1.19 when the Argo Sever is run with `--auth-mode=client`"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted