Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Argo Workflows versions prior to 3.6.12 and versions 3.7.0 through 3.7.2 expose artifact repository credentials in plaintext in workflow-controller pod logs. An attacker with permissions to read pod logs in a namespace running Argo Workflows can read the workflow-controller logs and obtain credentials to the artifact repository. Update to versions 3.6.12 or 3.7.3 to remediate the vulnerability. No known workarounds exist.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| github.com/argoproj/argo-workflows/v3(Go) | 3.7.0 | 3.7.3 | N/A |
| github.com/argoproj/argo-workflows/v3(Go) | 0 | 3.6.12 | N/A |
CVSS Metrics
