Arbitrary Code Execution Affecting github.com/argoproj/argo-workflows/v3/cmd/argo/commands Open this link in a new tab package, versions <3.1.0
Proof of concept
Do your applications use this vulnerable package?
3 Aug 2021
2 Aug 2021
Ryan Robinson, Nicole Fishbein
Introduced: 2 Aug 2021CWE-94 Open this link in a new tab
How to fix?
github.com/argoproj/argo-workflows/v3/cmd/argo/commands to version 3.1.0 or higher.
github.com/argoproj/argo-workflows/v3/cmd/argo/commands is a workflow engine for Kubernetes.
Affected versions of this package are vulnerable to Arbitrary Code Execution. Users running using the Argo Server with
--auth-mode=server (which is the default before version 3.0.0) and have exposed their UI to the internet may allow remote users to execute arbitrary code on their cluster.