Listen to this Post
How the CVE Works:
The vulnerability exists in the workflow-controller component of Argo Workflows. When the controller interacts with an external artifact repository (such as S3, GCS, or Azure Blob Storage) to retrieve or store workflow outputs, it logs the full HTTP request or API call. If the connection to the repository requires authentication, the credentials, such as Bearer tokens or access keys, are included within these log messages in plaintext. An attacker with permissions to read pod logs in the Kubernetes namespace where Argo Workflows is running can query the logs for the workflow-controller pod. By extracting these logged credentials, the attacker gains unauthorized access to the connected artifact repository, allowing them to exfiltrate, modify, or delete sensitive workflow artifacts.
Platform: Argo Workflows
Version: 3.7.0-3.7.2
Vulnerability: Information Disclosure
Severity: High
date: 2024-10-14
Prediction: Patch by 2024-10-21
What Undercode Say:
kubectl logs -n argo -l app=workflow-controller --tail=100 | grep -i "authorization"
kubectl get events -n argo --sort-by='.lastTimestamp'
How Exploit:
1. Attacker enumerates pods.
2. Retrieves controller pod logs.
3. Scans logs for credentials.
4. Accesses artifact repository.
Protection from this CVE
Upgrade to patched versions.
Restrict pod log access.
Use repository IAM roles.
Apply log filtering rules.
Impact:
Artifact data theft
Data manipulation
Repository compromise
Credential leakage
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
