We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-47827

Argo Workflows Controller: Denial of Service via malicious daemon Workflows



AssignerGitHub_M
Reserved2024-10-03
Published2024-10-28
Updated2024-10-28

Description

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Due to a race condition in a global variable in 3.6.0-rc1, the argo workflows controller can be made to crash on-command by any user with access to execute a workflow. This vulnerability is fixed in 3.6.0-rc2.



MEDIUM: 5.7CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Product status

>= 3.6.0-rc1, < 3.6.0-rc2
affected

References

https://github.com/argoproj/argo-workflows/security/advisories/GHSA-ghjw-32xw-ffwr

https://github.com/argoproj/argo-workflows/pull/13641

https://github.com/argoproj/argo-workflows/commit/524406451f4dfa57bf3371fb85becdb56a2b309a

https://github.com/argoproj/argo-workflows/blob/ce7f9bfb9b45f009b3e85fabe5e6410de23c7c5f/workflow/metrics/metrics_k8s_request.go#L75

cve.org CVE-2024-47827

nvd.nist.gov CVE-2024-47827

Download JSON

Share this page
https://cve.threatint.com
Subscribe to our newsletter to learn more about our work.