Skip to content

Potential privilege escalation on Kubernetes >= v1.19 when the Argo Sever is run with `--auth-mode=client`

Low severity GitHub Reviewed Published Aug 18, 2021 in argoproj/argo-workflows • Updated Jan 9, 2023

Package

gomod github.com/argoproj/argo-workflows/v3 (Go)

Affected versions

>= 3.0.0, < 3.0.9
>= 3.1.0, < 3.1.6

Patched versions

3.0.9
3.1.6

Description

Impact

This is pro-active fix. No know exploits exist.

Impacted:

  • You're running Kubernetes >= v1.19
  • You're running Argo Server
  • It is configured to with --auth-mode=client
  • Is not configured with --auth-mode=server
  • You are not running Argo Server in Kubernetes pod. E.g. on bare metal or other VM.
  • You're using client key to authenticate on the server.
  • The server has more permissions that the connecting client's account.

The client's authentication will be ignored and the server's authentication will be used. This will result in privilege escalation to that of the the server's account.

Patches

argoproj/argo-workflows#6506

Workarounds

None.

References

@alexec alexec published to argoproj/argo-workflows Aug 18, 2021
Reviewed Aug 23, 2021
Published to the GitHub Advisory Database Aug 23, 2021
Last updated Jan 9, 2023

Severity

Low

EPSS score

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-prqf-xr2j-xf65

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.