{ "schema_version": "1.4.0", "id": "GHSA-prqf-xr2j-xf65", "modified": "2021-08-23T17:05:11Z", "published": "2021-08-23T19:41:41Z", "aliases": [], "summary": "Potential privilege escalation on Kubernetes >= v1.19 when the Argo Sever is run with `--auth-mode=client`", "details": "### Impact\n\nThis is pro-active fix. No know exploits exist. \n\nImpacted:\n\n* You're running Kubernetes >= v1.19\n* You're running Argo Server\n* It is configured to with `--auth-mode=client`\n* Is not configured with `--auth-mode=server`\n* You are not running Argo Server in Kubernetes pod. E.g. on bare metal or other VM.\n* You're using client key to authenticate on the server. \n* The server has more permissions that the connecting client's account.\n\nThe client's authentication will be ignored and the server's authentication will be used. This will result in privilege escalation to that of the the server's account.\n\n### Patches\n\nhttps://github.com/argoproj/argo-workflows/pull/6506\n\n### Workarounds\n\nNone.", "severity": [], "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/argoproj/argo-workflows/v3" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.0.0" }, { "fixed": "3.0.9" } ] } ] }, { "package": { "ecosystem": "Go", "name": "github.com/argoproj/argo-workflows/v3" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.1.0" }, { "fixed": "3.1.6" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/argoproj/argo-workflows/security/advisories/GHSA-prqf-xr2j-xf65" } ], "database_specific": { "cwe_ids": [ "CWE-285" ], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2021-08-23T17:05:11Z", "nvd_published_at": null } }