CVE-2021-37914

Опубликовано: 03 авг. 2021

Источник: nvd

CVSS3: 6.5

CVSS2: 5.8

EPSS Низкий

Описание

In Argo Workflows through 3.1.3, if EXPRESSION_TEMPLATES is enabled and untrusted users are allowed to specify input parameters when running workflows, an attacker may be able to disrupt a workflow because expression template output is evaluated.

Ссылки

https://github.com/argoproj/argo-workflows/issues/6441
Exploit
Issue Tracking
Third Party Advisory
https://github.com/argoproj/argo-workflows/pull/6442
Exploit
Patch
Third Party Advisory
https://github.com/argoproj/argo-workflows/issues/6441
Exploit
Issue Tracking
Third Party Advisory
https://github.com/argoproj/argo-workflows/pull/6442
Exploit
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:argo-workflows_project:argo-workflows:*:*:*:*:*:*:*:*

Версия до 3.1.3 (включая)

EPSS

Процентиль: 50%

0.00271

Низкий

6.5 Medium

CVSS3

5.8 Medium

CVSS2

Дефекты

CWE-20

Связанные уязвимости

GHSA-h563-xh25-x54q

github

больше 4 лет назад

Workflow re-write vulnerability using input parameter