Skip to content

Argo Server TLS requests could be forged by attacker with network access

Moderate severity GitHub Reviewed Published Aug 18, 2021 in argoproj/argo-workflows • Updated Jan 9, 2023

Package

gomod github.com/argoproj/argo-workflows/v3 (Go)

Affected versions

>= 3.0.0, < 3.0.9
>= 3.1.0, < 3.1.6

Patched versions

3.0.9
3.1.6

Description

Impact

We are not aware of any exploits. This is a pro-active fix.

Impacted:

  • You are running Argo Server < v3.0 with --secure=true or >= v3.0 with --secure unspecified (note - running in secure mode is recommended regardless).
  • The attacker is within your network. If you expose Argo Server to the Internet then "your network" is "the Internet".

The Argo Server's keys are packaged within the image. They could be extracted and used to decrypt traffic, or forge requests.

Patches

argoproj/argo-workflows#6540

Workarounds

  • Make sure that your Argo Server service or pod are not directly accessible outside of your cluster. Put TLS load balancer in front of it.

This was identified by engineers at Jetstack.io

References

@alexec alexec published to argoproj/argo-workflows Aug 18, 2021
Reviewed Aug 23, 2021
Published to the GitHub Advisory Database Aug 23, 2021
Last updated Jan 9, 2023

Severity

Moderate

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-6c73-2v8x-qpvm

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.