Executive Summary

This vulnerability affects Argo Workflows versions from 4.0.0 to before 4.0.5. The workflow executor logs all artifact repository credentials, such as S3 access keys, secret keys, GCS service account keys, Azure account keys, and Git passwords, in plaintext during artifact operations. As a result, any user with read access to the workflow pod logs can extract these sensitive credentials.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can lead to unauthorized disclosure of sensitive credentials used for accessing artifact repositories. If an attacker or unauthorized user gains read access to the workflow pod logs, they can retrieve these plaintext credentials and potentially misuse them to access or manipulate stored artifacts, cloud services, or source code repositories.

Useful 0 Not Useful 0

Mitigation Strategies

The vulnerability has been patched in Argo Workflows version 4.0.5. To mitigate this vulnerability, you should upgrade your Argo Workflows installation to version 4.0.5 or later.

Additionally, restrict read access to workflow pod logs to only trusted users, as any user with read access can extract sensitive credentials from the logs.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability causes sensitive credentials such as S3 access keys, secret keys, GCS service account keys, Azure account keys, and Git passwords to be logged in plaintext in workflow pod logs. Any user with read access to these logs can extract these credentials.

Exposure of such sensitive information can lead to unauthorized access and data breaches, which may violate data protection and privacy regulations like GDPR and HIPAA that require safeguarding of sensitive data and credentials.

Therefore, this vulnerability negatively impacts compliance with common standards and regulations by increasing the risk of unauthorized data access and potential data breaches.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the logging of artifact repository credentials in plaintext within the workflow executor logs of Argo Workflows versions 4.0.0 to before 4.0.5. To detect if your system is affected, you should check the logs of workflow pods for any plaintext credentials such as S3 access keys, secret keys, GCS service account keys, Azure account keys, or Git passwords.

A practical approach is to access the logs of the workflow pods and search for keywords related to credentials. For example, you can use kubectl commands to retrieve logs and grep for common credential patterns.

• kubectl logs <workflow-pod-name> | grep -iE 'access_key|secret_key|service_account|password|token'
• kubectl logs <workflow-pod-name> --since=24h | grep -i 'credential'

If you find any such credentials in the logs, it indicates that your system is vulnerable if running a version between 4.0.0 and before 4.0.5. Upgrading to version 4.0.5 or later is recommended to mitigate this issue.

Useful 0 Not Useful 0