mirror of
https://github.com/fkie-cad/nvd-json-data-feeds.git
synced 2025-05-28 17:21:36 +00:00
68 lines
3.4 KiB
JSON
68 lines
3.4 KiB
JSON
{
|
|
"id": "CVE-2024-52799",
|
|
"sourceIdentifier": "security-advisories@github.com",
|
|
"published": "2024-11-21T17:15:24.220",
|
|
"lastModified": "2024-11-21T17:15:24.220",
|
|
"vulnStatus": "Awaiting Analysis",
|
|
"cveTags": [],
|
|
"descriptions": [
|
|
{
|
|
"lang": "en",
|
|
"value": "Argo Workflows Chart is used to set up argo and its needed dependencies through one command. Prior to 0.44.0, the workflow-role has excessive privileges, the worst being create pods/exec, which will allow kubectl exec into any Pod in the same namespace, i.e. arbitrary code execution within those Pods. If a user can be made to run a malicious template, their whole namespace can be compromised. This affects versions of the argo-workflows Chart that use appVersion: 3.4 and above, which no longer need these permissions for the only available Executor, Emissary. It could also affect users below 3.4 depending on their choice of Executor in those versions. This only affects the Helm Chart and not the upstream manifests. This vulnerability is fixed in 0.44.0."
|
|
},
|
|
{
|
|
"lang": "es",
|
|
"value": "El diagrama de flujos de trabajo de Argo se utiliza para configurar Argo y sus dependencias necesarias a trav\u00e9s de un comando. Antes de la versi\u00f3n 0.44.0, el rol de flujo de trabajo tiene privilegios excesivos, el peor de los cuales es create pods/exec, que permitir\u00e1 que kubectl exec ingrese a cualquier Pod en el mismo espacio de nombres, es decir, la ejecuci\u00f3n de c\u00f3digo arbitrario dentro de esos Pods. Si se puede obligar a un usuario a ejecutar una plantilla maliciosa, se puede comprometer todo su espacio de nombres. Esto afecta a las versiones del diagrama de flujos de trabajo de Argo que usan appVersion: 3.4 y posteriores, que ya no necesitan estos permisos para el \u00fanico Ejecutor disponible, Emissary. Tambi\u00e9n podr\u00eda afectar a los usuarios de versiones anteriores a la 3.4, seg\u00fan su elecci\u00f3n de Ejecutor en esas versiones. Esto solo afecta al diagrama de Helm y no a los manifiestos ascendentes. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 0.44.0."
|
|
}
|
|
],
|
|
"metrics": {
|
|
"cvssMetricV31": [
|
|
{
|
|
"source": "security-advisories@github.com",
|
|
"type": "Secondary",
|
|
"cvssData": {
|
|
"version": "3.1",
|
|
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
|
|
"baseScore": 8.2,
|
|
"baseSeverity": "HIGH",
|
|
"attackVector": "LOCAL",
|
|
"attackComplexity": "LOW",
|
|
"privilegesRequired": "LOW",
|
|
"userInteraction": "REQUIRED",
|
|
"scope": "CHANGED",
|
|
"confidentialityImpact": "HIGH",
|
|
"integrityImpact": "HIGH",
|
|
"availabilityImpact": "HIGH"
|
|
},
|
|
"exploitabilityScore": 1.5,
|
|
"impactScore": 6.0
|
|
}
|
|
]
|
|
},
|
|
"weaknesses": [
|
|
{
|
|
"source": "security-advisories@github.com",
|
|
"type": "Secondary",
|
|
"description": [
|
|
{
|
|
"lang": "en",
|
|
"value": "CWE-250"
|
|
},
|
|
{
|
|
"lang": "en",
|
|
"value": "CWE-1220"
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"references": [
|
|
{
|
|
"url": "https://github.com/argoproj/argo-helm/commit/81dc44c4a5ccd42c799469a78eb96a68048a4987",
|
|
"source": "security-advisories@github.com"
|
|
},
|
|
{
|
|
"url": "https://github.com/argoproj/argo-helm/security/advisories/GHSA-fgrf-2886-4q7m",
|
|
"source": "security-advisories@github.com"
|
|
}
|
|
]
|
|
} |