x/vulndb: potential Go vuln in github.com/argoproj/argo-workflows: CVE-2024-53862

[GoVulnBot]

Advisory CVE-2024-53862 references a vulnerability in the following Go modules:

Module
github.com/argoproj/argo-workflows

Description:
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. When using --auth-mode=client, Archived Workflows can be retrieved with a fake or spoofed token via the GET Workflow endpoint: /api/v1/workflows/{namespace}/{name} or when using --auth-mode=sso, all Archived Workflows can be retrieved with a valid token via the GET Workflow endpoint: /api/v1/workflows/{namespace}/{name}. No authentication is performed by the Server itself on client tokens. Authentication & authorization is instead delegated to the k8s API server. However, ...

References:

• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-53862
• FIX: https://github.com/argoproj/argo-workflows/pull/13021/files#diff-a5b255abaceddc9cc20bf6da6ae92c3a5d3605d94366af503ed754c079a1171aL668-R715
• WEB: GHSA-h36c-m3rf-34h9

Cross references:

• github.com/argoproj/argo-workflows appears in 6 other report(s):
  • data/excluded/GO-2022-0408.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-workflows: GHSA-rc7p-gmvh-xfx2 #408) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0445.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-workflows: CVE-2022-29164 #445) EFFECTIVELY_PRIVATE
  • data/reports/GO-2022-0388.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-workflows/v3: GHSA-6c73-2v8x-qpvm #388)
  • data/reports/GO-2022-0405.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-workflows/v3: GHSA-prqf-xr2j-xf65 #405)
  • data/reports/GO-2022-0928.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-workflows/v3: CVE-2021-37914, GHSA-h563-xh25-x54q #928)
  • data/reports/GO-2024-3226.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-workflows: CVE-2024-47827 #3226)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/argoproj/argo-workflows
      vulnerable_at: 0.4.7
summary: CVE-2024-53862 in github.com/argoproj/argo-workflows
cves:
    - CVE-2024-53862
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-53862
    - fix: https://github.com/argoproj/argo-workflows/pull/13021/files#diff-a5b255abaceddc9cc20bf6da6ae92c3a5d3605d94366af503ed754c079a1171aL668-R715
    - web: https://github.com/argoproj/argo-workflows/security/advisories/GHSA-h36c-m3rf-34h9
source:
    id: CVE-2024-53862
    created: 2024-12-02T18:01:27.065412587Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/632976 mentions this issue: data/reports: add 5 unreviewed reports