CVE-2022-29164

Name of the Vulnerable Software and Affected Versions Argo Workflows versions prior to the fixed version

Description Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. In affected versions, an attacker can create a workflow that produces a HTML artifact containing an HTML file with a script using XHR calls to interact with the Argo Server API. The attacker emails a deep-link to the artifact to the victim, who, upon opening the link, allows the script to run. With access to the Argo Server API as the victim, the script may read information about the victim's workflows or create and delete workflows. The attacker must be an insider with access to the same cluster as the victim and must already be able to run their own workflows. They must also have an understanding of the victim's system. There is no evidence of this issue being exploited in the wild.

Recommendations As a temporary workaround, consider disabling the Argo Server until a patch is available. Upgrade to the fixed version to resolve the issue. Note that disabling the Argo Server is currently the only known workaround, and no fix is planned for version 2.12, which has been out of support for some time.