Agilgur5

**Name of the Vulnerable Software and Affected Versions** Argo Helm versions prior to 0.45.0 **Description** The issue is related to the `workflow-role` lacking granularity in its privileges, giving unnecessary permissions to `workflowtasksets` and `workflowartifactgctasks` for all workflow Pods. This could potentially affect status reporting for certain types of Pods and templates. The impact is considered minimal. **Recommendations** For versions prior to 0.45.0, update to version 0.45.0 to resolve the issue. As a temporary workaround, consider restricting the privileges of the `workflow-role` to only those necessary for the Controller to function correctly, minimizing the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Argo Workflows Chart versions prior to 0.44.0 **Description** The workflow-role in the Argo Workflows Chart has excessive privileges, including the ability to create pods/exec, which allows for arbitrary code execution within pods in the same namespace. If a user can be made to run a malicious template, their whole namespace can be compromised. This issue affects versions of the argo-workflows Chart that use appVersion: 3.4 and above, as well as users below 3.4 depending on their choice of Executor. The vulnerability is specific to the Helm Chart and does not affect the upstream manifests. **Recommendations** For versions prior to 0.44.0, update to version 0.44.0 to fix the issue. As a temporary workaround, consider restricting the privileges of the workflow-role to minimize the risk of exploitation.