{ "schema_version": "1.4.0", "id": "GHSA-6c73-2v8x-qpvm", "modified": "2021-08-23T17:02:24Z", "published": "2021-08-23T19:41:30Z", "aliases": [], "summary": "Argo Server TLS requests could be forged by attacker with network access", "details": "### Impact\n\nWe are not aware of any exploits. This is a pro-active fix.\n\nImpacted: \n\n* You are running Argo Server < v3.0 with `--secure=true` or >= v3.0 with `--secure` unspecified (note - running in secure mode is recommended regardless).\n* The attacker is within your network. If you expose Argo Server to the Internet then \"your network\" is \"the Internet\". \n\nThe Argo Server's keys are packaged within the image. They could be extracted and used to decrypt traffic, or forge requests.\n\n### Patches\n\nhttps://github.com/argoproj/argo-workflows/pull/6540\n\n### Workarounds\n\n* Make sure that your Argo Server service or pod are not directly accessible outside of your cluster. Put TLS load balancer in front of it.\n\nThis was identified by engineers at Jetstack.io", "severity": [], "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/argoproj/argo-workflows/v3" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.0.0" }, { "fixed": "3.0.9" } ] } ] }, { "package": { "ecosystem": "Go", "name": "github.com/argoproj/argo-workflows/v3" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.1.0" }, { "fixed": "3.1.6" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/argoproj/argo-workflows/security/advisories/GHSA-6c73-2v8x-qpvm" } ], "database_specific": { "cwe_ids": [], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2021-08-23T17:02:24Z", "nvd_published_at": null } }