x/vulndb: potential Go vuln in github.com/argoproj/argo-workflows: CVE-2024-47827

[GoVulnBot]

Advisory CVE-2024-47827 references a vulnerability in the following Go modules:

Module
github.com/argoproj/argo-workflows

Description:
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Due to a race condition in a global variable in 3.6.0-rc1, the argo workflows controller can be made to crash on-command by any user with access to execute a workflow. This vulnerability is fixed in 3.6.0-rc2.

References:

• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-47827
• FIX: argoproj/argo-workflows@5244064
• FIX: fix: Prevent data race from global metrics round-tripper argoproj/argo-workflows#13641
• WEB: https://github.com/argoproj/argo-workflows/blob/ce7f9bfb9b45f009b3e85fabe5e6410de23c7c5f/workflow/metrics/metrics_k8s_request.go#L75
• WEB: GHSA-ghjw-32xw-ffwr

Cross references:

• github.com/argoproj/argo-workflows appears in 5 other report(s):
  • data/excluded/GO-2022-0408.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-workflows: GHSA-rc7p-gmvh-xfx2 #408) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0445.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-workflows: CVE-2022-29164 #445) EFFECTIVELY_PRIVATE
  • data/reports/GO-2022-0388.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-workflows/v3: GHSA-6c73-2v8x-qpvm #388)
  • data/reports/GO-2022-0405.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-workflows/v3: GHSA-prqf-xr2j-xf65 #405)
  • data/reports/GO-2022-0928.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-workflows/v3: CVE-2021-37914, GHSA-h563-xh25-x54q #928)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/argoproj/argo-workflows
      vulnerable_at: 0.4.7
summary: CVE-2024-47827 in github.com/argoproj/argo-workflows
cves:
    - CVE-2024-47827
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-47827
    - fix: https://github.com/argoproj/argo-workflows/commit/524406451f4dfa57bf3371fb85becdb56a2b309a
    - fix: https://github.com/argoproj/argo-workflows/pull/13641
    - web: https://github.com/argoproj/argo-workflows/blob/ce7f9bfb9b45f009b3e85fabe5e6410de23c7c5f/workflow/metrics/metrics_k8s_request.go#L75
    - web: https://github.com/argoproj/argo-workflows/security/advisories/GHSA-ghjw-32xw-ffwr
source:
    id: CVE-2024-47827
    created: 2024-10-28T17:01:19.215390854Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/622935 mentions this issue: data/reports: add GO-2024-3226