CVE-2024-47827: Argo Workflows Controller: Denial of Service via malicious daemon Workflows
(updated )
Due to a race condition in a global variable, the argo workflows controller can be made to crash on-command by any user with access to execute a workflow.
This was resolved by https://github.com/argoproj/argo-workflows/pull/13641
References
- github.com/advisories/GHSA-ghjw-32xw-ffwr
- github.com/argoproj/argo-workflows
- github.com/argoproj/argo-workflows/blob/ce7f9bfb9b45f009b3e85fabe5e6410de23c7c5f/workflow/metrics/metrics_k8s_request.go
- github.com/argoproj/argo-workflows/commit/524406451f4dfa57bf3371fb85becdb56a2b309a
- github.com/argoproj/argo-workflows/pull/13641
- github.com/argoproj/argo-workflows/security/advisories/GHSA-ghjw-32xw-ffwr
- nvd.nist.gov/vuln/detail/CVE-2024-47827
Code Behaviors & Features
Detect and mitigate CVE-2024-47827 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →