Argo Workflows Unauthorized Access to Workflow Templates Vulnerability

A vulnerability in Argo Workflows prior to versions 4.0.2 and 3.7.11 allows unauthorized access to WorkflowTemplates and ClusterWorkflowTemplates. The issue arises because the Workflow templates endpoints can be accessed by any client with a request that includes an 'Authorization: Bearer nothing' token. This access can lead to the leakage of sensitive template content, such as embedded Secret manifests. The vulnerability is present in versions prior to 3.7.11 and in the 4.0.0 series, prior to 4.0.2.

Impact

Exploitation of this vulnerability allows any client to leak data from Workflow Templates and Cluster Workflow Templates, including sensitive information such as secrets, artifact locations, service account usage, environment variables, and resource manifests.

Reproduction

To reproduce this vulnerability, first create a WorkflowTemplate that includes a secret, such as a password, encoded in base64. Apply this template using kubectl. Then, send a request to the Argo Server's Workflow Templates API endpoint for the created template, using a fake authorization token. The response will include the leaked secret and other sensitive information from the WorkflowTemplate.

Remediation

Users can upgrade to Argo Workflows versions 4.0.2 or 3.7.11 to address this vulnerability.