logo

Database

Improper authorization control for web services In github.com/argoproj/argo-workflows

Description

Attack on Kubernetes via Misconfigured Argo Workflows

Impact

Users running using the Argo Server with --auth-mode=server (which is the default < v3.0.0) AND have exposed their UI to the Internet may allow remote users to execute arbitrary code on their cluster, e.g. crypto-mining.

Resolution

    Do not expose your user interface to the Internet.

    Change configuration. --auth-mode=client.

For users using an older 2.x version of Argo Server, consider upgrading to Argo Server version 3.x or later.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version

Aliases

1. GHSA-rc7p-gmvh-xfx22. GCVE-GHSA-rc7p-gmvh-xfx2

References

1. https://github.com/argoproj/argo-workflows/security/advisories/GHSA-rc7p-gmvh-xfx22. https://www.intezer.com/blog/container-security/new-attacks-on-kubernetes-via-misconfigured-argo-workflows

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.