CVE-2022-29164: 
vulnerability analysis and mitigation

Argo Workflows, an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes, was found to contain a vulnerability (CVE-2022-29164) that affects versions from 2.6.0 up to 3.2.11 and 3.3.0 up to 3.3.5. The vulnerability was discovered and disclosed in May 2022, allowing attackers to create workflows that produce malicious HTML artifacts containing scripts that can interact with the Argo Server API (GitHub Advisory).

The vulnerability stems from insufficient security controls on HTML artifacts, which could allow scripts within these artifacts to make XHR (XMLHttpRequest) calls to interact with the Argo Server API. When a victim opens a deep-link to such an artifact, the malicious script executes with the victim's privileges. The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (High), with a vector string of CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H (GitHub Advisory).

If successfully exploited, an attacker can read information about the victim's workflows, create new workflows, or delete existing workflows. The impact is limited to actions that the victim has permission to perform. The attack requires the attacker to have access to the same cluster as the victim and the ability to run their own workflows (GitHub Advisory).

The vulnerability has been patched in versions 3.2.11 and 3.3.5. The fix includes implementing Content-Security-Policy headers and other security controls. For users unable to upgrade immediately, a workaround is available by disabling the Argo Server completely. This can be done by setting the environment variable ARGOARTIFACTSERVER to false (GitHub Commit).