VDB
CVE-2024-47827
CVE-2024-47827
PUBLISHED
CVSS 5.699999809265137 MEDIUM
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Due to a race condition in a global variable in 3.6.0-rc1, the argo workflows controller can be made to crash on-command by any user with access to execute a workflow. This vulnerability is fixed in 3.6.0-rc2.
EPSS 0.15% · 34.7th percentile
Risk Scores
CVSS v3.1
5.699999809265137
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS Score
0.15%
34.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| argoproj | argo-workflows | >= 3.6.0-rc1, < 3.6.0-rc2, >= 3.6.0-rc1, < 3.6.0-rc2 |
| github.com | argoproj/argo-workflows/v3 | 3.6.0-rc1, 3.6.0-rc1, 3.6.0-rc1 |
| argoproj | argo-workflows | 3.6.0-rc1, 3.6.0-rc1 |
| argoproj | argo_workflows | 3.6.0, 3.6.0 |
Timeline
- Jan 21, 1970 Security Advisory
- Oct 28, 2024 CVE Published
- Oct 28, 2024 Coalition ESS Score
- Oct 28, 2024 PoC Published
- Oct 29, 2024 EPSS Score
- Oct 30, 2024 Coalition ESS Score
- Nov 6, 2024 Coalition ESS Score
- Nov 16, 2024 EPSS Score
- Dec 5, 2024 EPSS Score
- Dec 23, 2024 EPSS Score
- Jan 11, 2025 EPSS Score
- Jan 29, 2025 EPSS Score
References
- https://github.com/argoproj/argo-workflows/security/advisories/GHSA-ghjw-32xw-ffwr url
- https://github.com/argoproj/argo-workflows/pull/13641 url
- https://github.com/argoproj/argo-workflows/commit/524406451f4dfa57bf3371fb85becdb56a2b309a url
- https://github.com/argoproj/argo-workflows/blob/ce7f9bfb9b45f009b3e85fabe5e6410de23c7c5f/workflow/metrics/metrics_k8s_request.go#L75 url
- https://nvd.nist.gov/vuln/detail/CVE-2024-47827 advisory
- https://github.com/argoproj/argo-workflows package