CVSS: 2.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52814 – Helm Lacks Granularity in Workflow Role
https://notcve.org/view.php?id=CVE-2024-52814
22 Nov 2024 — Argo Helm is a collection of community maintained charts for `argoproj.github.io` projects. Prior to version 0.45.0, the `workflow-role`) lacks granularity in its privileges, giving permissions to `workflowtasksets` and `workflowartifactgctasks` to all workflow Pods, when only certain types of Pods created by the Controller require these privileges. The impact is minimal, as an attack could only affect status reporting for certain types of Pods and templates. Version 0.45.0 fixes the issue. • https://github.com/argoproj/argo-helm/blob/2653aef414ab6a5d8617af75f04190a8f7da28dc/charts/argo-workflows/templates/controller/workflow-role.yaml • CWE-1220: Insufficient Granularity of Access Control •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52799 – Argo Workflows Chart: Excessive Privileges in Workflow Role
https://notcve.org/view.php?id=CVE-2024-52799
21 Nov 2024 — Argo Workflows Chart is used to set up argo and its needed dependencies through one command. Prior to 0.44.0, the workflow-role has excessive privileges, the worst being create pods/exec, which will allow kubectl exec into any Pod in the same namespace, i.e. arbitrary code execution within those Pods. If a user can be made to run a malicious template, their whole namespace can be compromised. This affects versions of the argo-workflows Chart that use appVersion: 3.4 and above, which no longer need these per... • https://github.com/argoproj/argo-helm/security/advisories/GHSA-fgrf-2886-4q7m • CWE-250: Execution with Unnecessary Privileges CWE-1220: Insufficient Granularity of Access Control •