Information disclosure in Argoproj Argo-workflows

CVE-2024-53862

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. When using `--auth-mode=client`, Archived Workflows can be retrieved with a fake or spoofed token via the GET Workflow endpoin…

Vulnerability class: Information Disclosure

EPSS: 0.003 (55.5th percentile) — read the EPSS interpretation.

Affected products

Argoproj Argo-workflows — versions >= 3.5.7, < 3.5.13, >= 3.6.0-rc1, < 3.6.2

Weakness classification (CWE)

References

https://github.com/argoproj/argo-workflows/security/advisories/GHSA-h36c-m3rf-34h9 (x_refsource_CONFIRM)
https://github.com/argoproj/argo-workflows/pull/13021/files#diff-a5b255abaceddc9cc20bf6da6ae92c3a5d3605d94366af503ed754c079a1171aL668-R715 (x_refsource_MISC)