GHSA-prqf-xr2j-xf65: 
vulnerability analysis and mitigation

A low severity vulnerability (GHSA-prqf-xr2j-xf65) was identified in Argo Workflows affecting versions >= 3.0.0, < 3.0.9 and >= 3.1.0, < 3.1.6. The vulnerability was discovered and published on August 18, 2021, involving potential privilege escalation in Kubernetes environments >= v1.19 when the Argo Server is configured with '--auth-mode=client' (GitHub Advisory).

The vulnerability is classified under CWE-285 and occurs specifically when Argo Server is running with '--auth-mode=client' configuration and not configured with '--auth-mode=server'. When these conditions are met, and the server is running outside a Kubernetes pod (e.g., on bare metal or VM), the client's authentication can be bypassed, leading to potential privilege escalation (GitHub Advisory).

When exploited, the vulnerability allows privilege escalation where the client's authentication is ignored, and the server's authentication is used instead. This results in the client gaining elevated permissions equivalent to the server's account. However, it's noted that this was a proactive fix, and no known exploits existed at the time of disclosure (GitHub Advisory).

The vulnerability has been patched in versions 3.0.9 and 3.1.6. No workarounds are available, making it essential to upgrade to the patched versions. The fix was implemented through pull request #6506 (GitHub Advisory).