SB2021080414 - Multiple vulnerabilities in Argo Workflows

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2021080414

SB2021080414 - Multiple vulnerabilities in Argo Workflows

Published: August 4, 2021 Updated: April 23, 2026

Security Bulletin ID SB2021080414
CSH Severity
High
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

High 33% Low 67%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Use of Hard-coded Cryptographic Key (CVE-ID: N/A)

The vulnerability allows a remote attacker to forge requests or disclose sensitive information.

The vulnerability exists due to improper certificate validation in Argo Server TLS handling when establishing secure connections. A remote attacker can extract the packaged keys and use them to forge requests or disclose sensitive information.

The issue affects deployments running Argo Server in secure mode, and exposure to the Internet makes the attack reachable from the Internet.


2) Improper access control (CVE-ID: N/A)

The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to improper access control in Argo Server authentication handling when processing client-authenticated requests with --auth-mode=client. A remote user can connect using a client key to escalate privileges.

Exploitation requires Kubernetes version 1.19 or later, Argo Server running outside a Kubernetes pod, --auth-mode=server not being configured, and the server account having more permissions than the connecting user's account.


3) Improper Neutralization of Special Elements in Output Used by a Downstream Component (CVE-ID: N/A)

The vulnerability allows a remote user to modify workflows.

The vulnerability exists due to improper neutralization of special elements in expression templates in workflow input parameter handling when processing user-supplied input parameters. A remote user can supply a crafted input parameter to modify workflows.

Only deployments that allow end-users to set input parameters are affected.


Remediation

Install update from vendor's website.

References