Skip to content

Attack on Kubernetes via Misconfigured Argo Workflows

Moderate severity GitHub Reviewed Published Jul 22, 2021 in argoproj/argo-workflows • Updated Jan 9, 2023

Package

gomod github.com/argoproj/argo-workflows (Go)

Affected versions

< 3.0.0

Patched versions

None

Description

Impact

Users running using the Argo Server with --auth-mode=server (which is the default < v3.0.0) AND have exposed their UI to the Internet may allow remote users to execute arbitrary code on their cluster, e.g. crypto-mining.

Resolution

  • Do not expose your user interface to the Internet.
  • Change configuration. --auth-mode=client.

For users using an older 2.x version of Argo Server, consider upgrading to Argo Server version 3.x or later.

References

@alexec alexec published to argoproj/argo-workflows Jul 22, 2021
Reviewed Jul 22, 2021
Published to the GitHub Advisory Database Aug 2, 2021
Last updated Jan 9, 2023

Severity

Moderate

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-rc7p-gmvh-xfx2

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.