Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTZjNzMtMnY4eC1xcHZt
Argo Server TLS requests could be forged by attacker with network access
Impact
We are not aware of any exploits. This is a pro-active fix.
Impacted:
- You are running Argo Server < v3.0 with
--secure=true
or >= v3.0 with--secure
unspecified (note - running in secure mode is recommended regardless). - The attacker is within your network. If you expose Argo Server to the Internet then "your network" is "the Internet".
The Argo Server's keys are packaged within the image. They could be extracted and used to decrypt traffic, or forge requests.
Patches
https://github.com/argoproj/argo-workflows/pull/6540
Workarounds
- Make sure that your Argo Server service or pod are not directly accessible outside of your cluster. Put TLS load balancer in front of it.
This was identified by engineers at Jetstack.io
Permalink: https://github.com/advisories/GHSA-6c73-2v8x-qpvmJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTZjNzMtMnY4eC1xcHZt
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: over 1 year ago
Identifiers: GHSA-6c73-2v8x-qpvm
References:
- https://github.com/argoproj/argo-workflows/security/advisories/GHSA-6c73-2v8x-qpvm
- https://github.com/advisories/GHSA-6c73-2v8x-qpvm
Blast Radius: 0.0
Affected Packages
go:github.com/argoproj/argo-workflows/v3
Dependent packages: 66Dependent repositories: 102
Downloads:
Affected Version Ranges: >= 3.1.0, < 3.1.6, >= 3.0.0, < 3.0.9
Fixed in: 3.1.6, 3.0.9
All affected versions: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5
All unaffected versions: 3.0.9, 3.0.10, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.1.13, 3.1.14, 3.1.15, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.2.10, 3.2.11, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.3.8, 3.3.9, 3.3.10, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5, 3.4.6, 3.4.7, 3.4.8, 3.4.9, 3.4.10, 3.4.11, 3.4.12, 3.4.13, 3.4.14, 3.4.15, 3.4.16, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.5.5, 3.5.6