SB2022050458 - Improper access control in Argo Workflows

Description

This security bulletin contains information about 1 vulnerability.

1) Improper access control (CVE-ID: CVE-2022-29164)

The vulnerability allows a remote user to read information about the victim's workflows and create or delete workflows.

The vulnerability exists due to improper access control in HTML artifact handling when rendering a crafted HTML artifact that issues XHR requests to the Argo Server API. A remote user can send a deep-link to a crafted artifact to cause the victim's browser to interact with the API using the victim's privileges.

User interaction is required, and exploitation requires the ability to run workflows in the same cluster as the victim.

Remediation

Install update from vendor's website.

References

• https://github.com/argoproj/argo-workflows/security/advisories/GHSA-cmv8-6362-r5w9
• https://github.com/advisories/GHSA-cmv8-6362-r5w9