We found results for “”
WS-2021-0351
Good to know:
Date: August 24, 2021
Vulnerable versions of argo-workflows are 3.0.0 through 3.0.8, and 3.1.0 through 3.1.5. Fixed in versions 3.0.9 and 3.1.6 of argo-workflows by removing client private key from client auth REST config. The client's authentication will be ignored and the server's authentication will be used. This will result in privilege escalation to that of the server's account.
Language: Go
Severity Score
Severity Score
Weakness Type (CWE)
Improper Privilege Management
CWE-269Top Fix
CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | NETWORK |
Attack Complexity (AC): | HIGH |
Privileges Required (PR): | HIGH |
User Interaction (UI): | NONE |
Scope (S): | CHANGED |
Confidentiality (C): | LOW |
Integrity (I): | NONE |
Availability (A): | NONE |