GMS-2021-85: Potential privilege escalation on Kubernetes >= v1.19 when the Argo Sever is run with `--auth-mode=client`

August 23, 2021

Impact

This is pro-active fix. No know exploits exist.

Impacted:

You’re running Kubernetes >= v1.19
You’re running Argo Server
It is configured to with --auth-mode=client
Is not configured with --auth-mode=server
You are not running Argo Server in Kubernetes pod. E.g. on bare metal or other VM.
You’re using client key to authenticate on the server.
The server has more permissions that the connecting client’s account.

The client’s authentication will be ignored and the server’s authentication will be used. This will result in privilege escalation to that of the the server’s account.

Patches

https://github.com/argoproj/argo-workflows/pull/6506

Workarounds

None.

References

Detect and mitigate GMS-2021-85 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →