GHSA-hmp7-x699-cvhq: Argo Events users can gain privileged access to the host system and cluster with EventSource and Sensor CR

April 14, 2025

A user with permission to create/modify EventSource and Sensor custom resources can gain privileged access to the host system and cluster, even without having direct administrative privileges.

References

github.com/advisories/GHSA-hmp7-x699-cvhq
github.com/argoproj/argo-events
github.com/argoproj/argo-events/commit/18412293a699f559848b00e6e459c9ce2de0d3e2
github.com/argoproj/argo-events/pull/3528
github.com/argoproj/argo-events/security/advisories/GHSA-hmp7-x699-cvhq

Code Behaviors & Features

Detect and mitigate GHSA-hmp7-x699-cvhq with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →