CVE-2024-53862: Access to Archived Argo Workflows with Fake Token in `client` mode

December 2, 2024

When using --auth-mode=client, Archived Workflows can be retrieved with a fake or spoofed token via the GET Workflow endpoint: /api/v1/workflows/{namespace}/{name}

When using --auth-mode=sso, all Archived Workflows can be retrieved with a valid token via the GET Workflow endpoint: /api/v1/workflows/{namespace}/{name}

References

github.com/advisories/GHSA-h36c-m3rf-34h9
github.com/argoproj/argo-workflows
github.com/argoproj/argo-workflows/pull/13021/files
github.com/argoproj/argo-workflows/security/advisories/GHSA-h36c-m3rf-34h9
nvd.nist.gov/vuln/detail/CVE-2024-53862

Detect and mitigate CVE-2024-53862 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →