Argo Workflows Missing Authorization Vulnerability in ConfigMap Sync Provider Allowing Unauthorized CRUD Operations

A vulnerability exists in Argo Workflows versions 4.0.0 prior to 4.0.5, within the Sync Service's ConfigMap-backed provider. This vulnerability arises because the provider performs no authorization checks on create, read, update, and delete operations related to Kubernetes ConfigMaps that manage synchronization limits. As a result, any authenticated user, including those with fake Bearer tokens, can manipulate these ConfigMaps. The issue has been addressed in version 4.0.5.

Impact

Exploitation of this vulnerability allows for unauthorized manipulation of ConfigMaps in any namespace accessible to the Argo server's service account. This includes creating or deleting ConfigMaps, disrupting workflows by modifying synchronization limits, and accessing potentially sensitive data within ConfigMaps.

Reproduction

To reproduce this vulnerability, upload a fake Bearer token and send a request to the Argo server's Sync Service API to create, read, update, or delete a synchronization limit. The absence of authorization checks will allow these actions to be performed successfully.

Remediation

Users can update to Argo Workflows version 4.0.5 or later, where this vulnerability has been patched.