Argo Workflows Credential Logging Vulnerability in Workflow Executor

A vulnerability exists in Argo Workflows versions 4.0.0 prior to 4.0.5, where the workflow executor logs artifact repository credentials in plaintext. This includes S3 access keys, secret keys, GCS service account keys, Azure account keys, and Git passwords. Any user with read access to workflow pod logs can extract these credentials. The issue arises because the logging driver passes the entire ArtifactDriver struct to the structured logger, exposing sensitive information. This vulnerability can be reproduced by creating a workflow that uses artifact repositories requiring credentials, and then checking the logs of the workflow pod.

Impact

Users with Kubernetes RBAC permissions to read pod logs in the workflow namespace can extract logged artifact repository credentials.

Reproduction

To reproduce this vulnerability, create a workflow that includes artifact repository credentials, such as S3 access keys or GCS service account keys. Once the workflow is executed, the credentials will be logged in plaintext. This can be verified by accessing the workflow pod logs.

Remediation

Users can upgrade to Argo Workflows version 4.0.5, where this vulnerability has been patched.