Advisories for Golang/Github.com/Argoproj/Argo-Workflows package

2024
2022

Malicious HTML+XHR Artifact Privilege Escalation in Argo Workflows

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. In affected versions an attacker can create a workflow which produces a HTML artifact containing an HTML file that contains a script which uses XHR calls to interact with the Argo Server API. The attacker emails the deep-link to the artifact to their victim. The victim opens the link, the script starts running. As the …

2021

Potential privilege escalation on Kubernetes >= v1.19 when the Argo Sever is run with `--auth-mode=client`

Impact This is pro-active fix. No know exploits exist. Impacted: You're running Kubernetes >= v1.19 You're running Argo Server It is configured to with –auth-mode=client Is not configured with –auth-mode=server You are not running Argo Server in Kubernetes pod. E.g. on bare metal or other VM. You're using client key to authenticate on the server. The server has more permissions that the connecting client's account. The client's authentication will be …

Argo Server TLS requests could be forged by attacker with network access

Impact We are not aware of any exploits. This is a pro-active fix. Impacted: You are running Argo Server < v3.0 with –secure=true or >= v3.0 with –secure unspecified (note - running in secure mode is recommended regardless). The attacker is within your network. If you expose Argo Server to the Internet then "your network" is "the Internet". The Argo Server's keys are packaged within the image. They could be …