{ "schema_version": "1.4.0", "id": "GHSA-h563-xh25-x54q", "modified": "2021-08-30T23:23:11Z", "published": "2021-08-09T20:37:50Z", "aliases": [ "CVE-2021-37914" ], "summary": "Workflow re-write vulnerability using input parameter", "details": "### Impact\n\n* Allow end-users to set input parameters, but otherwise expect workflows to be secure.\n\n### Patches\n\nNot yet.\n\n### Workarounds\n\n* Set `EXPRESSION_TEMPLATES=false` for the workflow controller\n\n\n### References\n\n* https://github.com/argoproj/argo-workflows/issues/6441\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [example link to repo](http://example.com)\n* Email us at [example email address](mailto:example@example.com)\n", "severity": [], "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/argoproj/argo-workflows/v3" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.1.0" }, { "fixed": "3.1.6" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/argoproj/argo-workflows/security/advisories/GHSA-h563-xh25-x54q" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37914" }, { "type": "WEB", "url": "https://github.com/argoproj/argo-workflows/issues/6441" }, { "type": "WEB", "url": "https://github.com/argoproj/argo-workflows/pull/6285" }, { "type": "WEB", "url": "https://github.com/argoproj/argo-workflows/pull/6442" }, { "type": "WEB", "url": "https://github.com/argoproj/argo-workflows/commit/2a2ecc916925642fd8cb1efd026588e6828f82e1" }, { "type": "PACKAGE", "url": "github.com/argoproj/argo-workflows/v3" } ], "database_specific": { "cwe_ids": [ "CWE-20" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2021-08-04T18:26:07Z", "nvd_published_at": "2021-08-03T00:15:00Z" } }