CVE-2024-52799 (GCVE-0-2024-52799)
Vulnerability from cvelistv5 – Published: 2024-11-21 17:02 – Updated: 2024-11-21 20:48
VLAI?
Title
Argo Workflows Chart: Excessive Privileges in Workflow Role
Summary
Argo Workflows Chart is used to set up argo and its needed dependencies through one command. Prior to 0.44.0, the workflow-role has excessive privileges, the worst being create pods/exec, which will allow kubectl exec into any Pod in the same namespace, i.e. arbitrary code execution within those Pods. If a user can be made to run a malicious template, their whole namespace can be compromised. This affects versions of the argo-workflows Chart that use appVersion: 3.4 and above, which no longer need these permissions for the only available Executor, Emissary. It could also affect users below 3.4 depending on their choice of Executor in those versions. This only affects the Helm Chart and not the upstream manifests. This vulnerability is fixed in 0.44.0.
Severity ?
8.3 (High)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:argoproj:argo-helm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "argo-helm",
"vendor": "argoproj",
"versions": [
{
"lessThan": "0.44.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52799",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-21T20:41:34.058031Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T20:48:51.507Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "argo-helm",
"vendor": "argoproj",
"versions": [
{
"status": "affected",
"version": "\u003c 0.44.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Argo Workflows Chart is used to set up argo and its needed dependencies through one command. Prior to 0.44.0, the workflow-role has excessive privileges, the worst being create pods/exec, which will allow kubectl exec into any Pod in the same namespace, i.e. arbitrary code execution within those Pods. If a user can be made to run a malicious template, their whole namespace can be compromised. This affects versions of the argo-workflows Chart that use appVersion: 3.4 and above, which no longer need these permissions for the only available Executor, Emissary. It could also affect users below 3.4 depending on their choice of Executor in those versions. This only affects the Helm Chart and not the upstream manifests. This vulnerability is fixed in 0.44.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250: Execution with Unnecessary Privileges",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1220",
"description": "CWE-1220: Insufficient Granularity of Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T17:02:01.525Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/argoproj/argo-helm/security/advisories/GHSA-fgrf-2886-4q7m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/argoproj/argo-helm/security/advisories/GHSA-fgrf-2886-4q7m"
},
{
"name": "https://github.com/argoproj/argo-helm/commit/81dc44c4a5ccd42c799469a78eb96a68048a4987",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/argo-helm/commit/81dc44c4a5ccd42c799469a78eb96a68048a4987"
}
],
"source": {
"advisory": "GHSA-fgrf-2886-4q7m",
"discovery": "UNKNOWN"
},
"title": "Argo Workflows Chart: Excessive Privileges in Workflow Role"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52799",
"datePublished": "2024-11-21T17:02:01.525Z",
"dateReserved": "2024-11-15T17:11:13.440Z",
"dateUpdated": "2024-11-21T20:48:51.507Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"descriptions": "[{\"lang\": \"en\", \"value\": \"Argo Workflows Chart is used to set up argo and its needed dependencies through one command. Prior to 0.44.0, the workflow-role has excessive privileges, the worst being create pods/exec, which will allow kubectl exec into any Pod in the same namespace, i.e. arbitrary code execution within those Pods. If a user can be made to run a malicious template, their whole namespace can be compromised. This affects versions of the argo-workflows Chart that use appVersion: 3.4 and above, which no longer need these permissions for the only available Executor, Emissary. It could also affect users below 3.4 depending on their choice of Executor in those versions. This only affects the Helm Chart and not the upstream manifests. This vulnerability is fixed in 0.44.0.\"}, {\"lang\": \"es\", \"value\": \"El diagrama de flujos de trabajo de Argo se utiliza para configurar Argo y sus dependencias necesarias a trav\\u00e9s de un comando. Antes de la versi\\u00f3n 0.44.0, el rol de flujo de trabajo tiene privilegios excesivos, el peor de los cuales es create pods/exec, que permitir\\u00e1 que kubectl exec ingrese a cualquier Pod en el mismo espacio de nombres, es decir, la ejecuci\\u00f3n de c\\u00f3digo arbitrario dentro de esos Pods. Si se puede obligar a un usuario a ejecutar una plantilla maliciosa, se puede comprometer todo su espacio de nombres. Esto afecta a las versiones del diagrama de flujos de trabajo de Argo que usan appVersion: 3.4 y posteriores, que ya no necesitan estos permisos para el \\u00fanico Ejecutor disponible, Emissary. Tambi\\u00e9n podr\\u00eda afectar a los usuarios de versiones anteriores a la 3.4, seg\\u00fan su elecci\\u00f3n de Ejecutor en esas versiones. Esto solo afecta al diagrama de Helm y no a los manifiestos ascendentes. Esta vulnerabilidad se corrigi\\u00f3 en la versi\\u00f3n 0.44.0.\"}]",
"id": "CVE-2024-52799",
"lastModified": "2024-11-21T17:15:24.220",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H\", \"baseScore\": 8.2, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.5, \"impactScore\": 6.0}]}",
"published": "2024-11-21T17:15:24.220",
"references": "[{\"url\": \"https://github.com/argoproj/argo-helm/commit/81dc44c4a5ccd42c799469a78eb96a68048a4987\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/argoproj/argo-helm/security/advisories/GHSA-fgrf-2886-4q7m\", \"source\": \"security-advisories@github.com\"}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-250\"}, {\"lang\": \"en\", \"value\": \"CWE-1220\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-52799\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-11-21T17:15:24.220\",\"lastModified\":\"2024-11-21T17:15:24.220\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Argo Workflows Chart is used to set up argo and its needed dependencies through one command. Prior to 0.44.0, the workflow-role has excessive privileges, the worst being create pods/exec, which will allow kubectl exec into any Pod in the same namespace, i.e. arbitrary code execution within those Pods. If a user can be made to run a malicious template, their whole namespace can be compromised. This affects versions of the argo-workflows Chart that use appVersion: 3.4 and above, which no longer need these permissions for the only available Executor, Emissary. It could also affect users below 3.4 depending on their choice of Executor in those versions. This only affects the Helm Chart and not the upstream manifests. This vulnerability is fixed in 0.44.0.\"},{\"lang\":\"es\",\"value\":\"El diagrama de flujos de trabajo de Argo se utiliza para configurar Argo y sus dependencias necesarias a trav\u00e9s de un comando. Antes de la versi\u00f3n 0.44.0, el rol de flujo de trabajo tiene privilegios excesivos, el peor de los cuales es create pods/exec, que permitir\u00e1 que kubectl exec ingrese a cualquier Pod en el mismo espacio de nombres, es decir, la ejecuci\u00f3n de c\u00f3digo arbitrario dentro de esos Pods. Si se puede obligar a un usuario a ejecutar una plantilla maliciosa, se puede comprometer todo su espacio de nombres. Esto afecta a las versiones del diagrama de flujos de trabajo de Argo que usan appVersion: 3.4 y posteriores, que ya no necesitan estos permisos para el \u00fanico Ejecutor disponible, Emissary. Tambi\u00e9n podr\u00eda afectar a los usuarios de versiones anteriores a la 3.4, seg\u00fan su elecci\u00f3n de Ejecutor en esas versiones. Esto solo afecta al diagrama de Helm y no a los manifiestos ascendentes. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 0.44.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.5,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-250\"},{\"lang\":\"en\",\"value\":\"CWE-1220\"}]}],\"references\":[{\"url\":\"https://github.com/argoproj/argo-helm/commit/81dc44c4a5ccd42c799469a78eb96a68048a4987\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/argoproj/argo-helm/security/advisories/GHSA-fgrf-2886-4q7m\",\"source\":\"security-advisories@github.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-52799\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-11-21T20:41:34.058031Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:argoproj:argo-helm:*:*:*:*:*:*:*:*\"], \"vendor\": \"argoproj\", \"product\": \"argo-helm\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"0.44.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-11-21T20:44:15.708Z\"}}], \"cna\": {\"title\": \"Argo Workflows Chart: Excessive Privileges in Workflow Role\", \"source\": {\"advisory\": \"GHSA-fgrf-2886-4q7m\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.3, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"argoproj\", \"product\": \"argo-helm\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.44.0\"}]}], \"references\": [{\"url\": \"https://github.com/argoproj/argo-helm/security/advisories/GHSA-fgrf-2886-4q7m\", \"name\": \"https://github.com/argoproj/argo-helm/security/advisories/GHSA-fgrf-2886-4q7m\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/argoproj/argo-helm/commit/81dc44c4a5ccd42c799469a78eb96a68048a4987\", \"name\": \"https://github.com/argoproj/argo-helm/commit/81dc44c4a5ccd42c799469a78eb96a68048a4987\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Argo Workflows Chart is used to set up argo and its needed dependencies through one command. Prior to 0.44.0, the workflow-role has excessive privileges, the worst being create pods/exec, which will allow kubectl exec into any Pod in the same namespace, i.e. arbitrary code execution within those Pods. If a user can be made to run a malicious template, their whole namespace can be compromised. This affects versions of the argo-workflows Chart that use appVersion: 3.4 and above, which no longer need these permissions for the only available Executor, Emissary. It could also affect users below 3.4 depending on their choice of Executor in those versions. This only affects the Helm Chart and not the upstream manifests. This vulnerability is fixed in 0.44.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-250\", \"description\": \"CWE-250: Execution with Unnecessary Privileges\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1220\", \"description\": \"CWE-1220: Insufficient Granularity of Access Control\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-11-21T17:02:01.525Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-52799\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-21T20:48:51.507Z\", \"dateReserved\": \"2024-11-15T17:11:13.440Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-11-21T17:02:01.525Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…