Skip to content

x/vulndb: potential Go vuln in github.com/argoproj/argo-workflows: CVE-2024-47827 #3226

New issue
New issue
Closed
Closed
x/vulndb: potential Go vuln in github.com/argoproj/argo-workflows: CVE-2024-47827#3226
Assignees
zpavlinovic
Labels
triaged
@GoVulnBot

Description

@GoVulnBot
GoVulnBot
opened on Oct 28, 2024

Advisory CVE-2024-47827 references a vulnerability in the following Go modules:

Module
github.com/argoproj/argo-workflows

Description:
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Due to a race condition in a global variable in 3.6.0-rc1, the argo workflows controller can be made to crash on-command by any user with access to execute a workflow. This vulnerability is fixed in 3.6.0-rc2.

References:

Cross references:

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/argoproj/argo-workflows
      vulnerable_at: 0.4.7
summary: CVE-2024-47827 in github.com/argoproj/argo-workflows
cves:
    - CVE-2024-47827
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-47827
    - fix: https://github.com/argoproj/argo-workflows/commit/524406451f4dfa57bf3371fb85becdb56a2b309a
    - fix: https://github.com/argoproj/argo-workflows/pull/13641
    - web: https://github.com/argoproj/argo-workflows/blob/ce7f9bfb9b45f009b3e85fabe5e6410de23c7c5f/workflow/metrics/metrics_k8s_request.go#L75
    - web: https://github.com/argoproj/argo-workflows/security/advisories/GHSA-ghjw-32xw-ffwr
source:
    id: CVE-2024-47827
    created: 2024-10-28T17:01:19.215390854Z
review_status: UNREVIEWED

Metadata

Metadata

Assignees

Labels

triaged

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions