One Article Review
| Source |  CVE Liste |
|---|---|
| Identifiant | 4553624 |
| Date de publication | 2022-05-06 00:15:07 (vue: 2022-05-06 06:06:13) |
| Titre | CVE-2022-29164 |
| Texte | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. In affected versions an attacker can create a workflow which produces a HTML artifact containing an HTML file that contains a script which uses XHR calls to interact with the Argo Server API. The attacker emails the deep-link to the artifact to their victim. The victim opens the link, the script starts running. As the script has access to the Argo Server API (as the victim), so may read information about the victim’s workflows, or create and delete workflows. Note the attacker must be an insider: they must have access to the same cluster as the victim and must already be able to run their own workflows. The attacker must have an understanding of the victim’s system. We have seen no evidence of this in the wild. We urge all users to upgrade to the fixed versions. |
| Envoyé | Oui |
| Condensat | 2022 29164 able about access affected all already api argo artifact attacker calls can cluster container containing contains create cve deep delete emails engine evidence file fixed has have html information insider: interact jobs kubernetes link may must native note open opens orchestrating own parallel produces read run running same script seen server source starts system understanding upgrade urge users uses versions victim victim’s which wild workflow workflows xhr |
| Tags | |
| Stories | Uber |
| Notes | ★★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.