Unknown · Argo Workflows · CVE-2021-37914
Name of the Vulnerable Software and Affected Versions:
Argo Workflows versions 3.1.3 and earlier
Description:
The issue arises when `EXPRESSION TEMPLATES` is enabled and untrusted users can specify input parameters for workflows. This allows an attacker to potentially disrupt a workflow because the output of expression templates is evaluated.
Recommendations:
For versions 3.1.3 and earlier, set `EXPRESSION TEMPLATES=false` for the workflow controller as a temporary workaround to minimize the risk of exploitation.
At the moment, there is no information about a newer version that contains a fix for this vulnerability.