CVE-2024-47827

medium

Description

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Due to a race condition in a global variable in 3.6.0-rc1, the argo workflows controller can be made to crash on-command by any user with access to execute a workflow. This vulnerability is fixed in 3.6.0-rc2.

References

https://github.com/argoproj/argo-workflows/security/advisories/GHSA-ghjw-32xw-ffwr

https://github.com/argoproj/argo-workflows/pull/13641

https://github.com/argoproj/argo-workflows/commit/524406451f4dfa57bf3371fb85becdb56a2b309a

https://github.com/argoproj/argo-workflows/blob/ce7f9bfb9b45f009b3e85fabe5e6410de23c7c5f/workflow/metrics/metrics_k8s_request.go#L75

Details

Source: Mitre, NVD

Published: 2024-10-28

Updated: 2024-11-05

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:A/AC:H/Au:S/C:N/I:N/A:C

Severity: Medium

CVSS v3

Base Score: 4.8

Vector: CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Severity: Medium