Описание
Workflow re-write vulnerability using input parameter
Impact
- Allow end-users to set input parameters, but otherwise expect workflows to be secure.
Patches
Not yet.
Workarounds
- Set
EXPRESSION_TEMPLATES=falsefor the workflow controller
References
For more information
If you have any questions or comments about this advisory:
- Open an issue in example link to repo
- Email us at example email address
Ссылки
- https://github.com/argoproj/argo-workflows/security/advisories/GHSA-h563-xh25-x54q
- https://nvd.nist.gov/vuln/detail/CVE-2021-37914
- https://github.com/argoproj/argo-workflows/issues/6441
- https://github.com/argoproj/argo-workflows/pull/6285
- https://github.com/argoproj/argo-workflows/pull/6442
- https://github.com/argoproj/argo-workflows/commit/2a2ecc916925642fd8cb1efd026588e6828f82e1
Пакеты
Наименование
github.com/argoproj/argo-workflows/v3
go
Затронутые версииВерсия исправления
>= 3.1.0, < 3.1.6
3.1.6
Связанные уязвимости
CVSS3: 6.5
nvd
больше 4 лет назад
In Argo Workflows through 3.1.3, if EXPRESSION_TEMPLATES is enabled and untrusted users are allowed to specify input parameters when running workflows, an attacker may be able to disrupt a workflow because expression template output is evaluated.