CVE-2024-52799

Argo Workflows Chart is used to set up argo and its needed dependencies through one command. Prior to 0.44.0, the workflow-role has excessive privileges, the worst being create pods/exec, which will allow kubectl exec into any Pod in the same namespace, i.e. arbitrary code execution within those Pods. If a user can be made to run a malicious template, their whole namespace can be compromised. This affects versions of the argo-workflows Chart that use appVersion: 3.4 and above, which no longer need these permissions for the only available Executor, Emissary. It could also affect users below 3.4 depending on their choice of Executor in those versions. This only affects the Helm Chart and not the upstream manifests. This vulnerability is fixed in 0.44.0.

CVSS v3 8.2 HIGH

8.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.5 / Impact : 6.0

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/argoproj/argo-helm/commit/81dc44c4a5ccd42c799469a78eb96a68048a4987
https://github.com/argoproj/argo-helm/security/advisories/GHSA-fgrf-2886-4q7m

Configurations

No configuration.

History

No history.

Information

Published : 2024-11-21 17:15

Updated : 2024-11-21 17:15

NVD link : CVE-2024-52799

Mitre link : CVE-2024-52799

CVE.ORG link : CVE-2024-52799

JSON object : View

Products Affected

No product.

CWE

CWE-250

Execution with Unnecessary Privileges

CWE-1220

Insufficient Granularity of Access Control

{"id": "CVE-2024-52799", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.5}]}, "published": "2024-11-21T17:15:24.220", "references": [{"url": "https://github.com/argoproj/argo-helm/commit/81dc44c4a5ccd42c799469a78eb96a68048a4987", "source": "security-advisories@github.com"}, {"url": "https://github.com/argoproj/argo-helm/security/advisories/GHSA-fgrf-2886-4q7m", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-250"}, {"lang": "en", "value": "CWE-1220"}]}], "descriptions": [{"lang": "en", "value": "Argo Workflows Chart is used to set up argo and its needed dependencies through one command. Prior to 0.44.0, the workflow-role has excessive privileges, the worst being create pods/exec, which will allow kubectl exec into any Pod in the same namespace, i.e. arbitrary code execution within those Pods. If a user can be made to run a malicious template, their whole namespace can be compromised. This affects versions of the argo-workflows Chart that use appVersion: 3.4 and above, which no longer need these permissions for the only available Executor, Emissary. It could also affect users below 3.4 depending on their choice of Executor in those versions. This only affects the Helm Chart and not the upstream manifests. This vulnerability is fixed in 0.44.0."}, {"lang": "es", "value": "El diagrama de flujos de trabajo de Argo se utiliza para configurar Argo y sus dependencias necesarias a trav\u00e9s de un comando. Antes de la versi\u00f3n 0.44.0, el rol de flujo de trabajo tiene privilegios excesivos, el peor de los cuales es create pods/exec, que permitir\u00e1 que kubectl exec ingrese a cualquier Pod en el mismo espacio de nombres, es decir, la ejecuci\u00f3n de c\u00f3digo arbitrario dentro de esos Pods. Si se puede obligar a un usuario a ejecutar una plantilla maliciosa, se puede comprometer todo su espacio de nombres. Esto afecta a las versiones del diagrama de flujos de trabajo de Argo que usan appVersion: 3.4 y posteriores, que ya no necesitan estos permisos para el \u00fanico Ejecutor disponible, Emissary. Tambi\u00e9n podr\u00eda afectar a los usuarios de versiones anteriores a la 3.4, seg\u00fan su elecci\u00f3n de Ejecutor en esas versiones. Esto solo afecta al diagrama de Helm y no a los manifiestos ascendentes. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 0.44.0."}], "lastModified": "2024-11-21T17:15:24.220", "sourceIdentifier": "security-advisories@github.com"}