CVE-2024-52799
Published: 21 November 2024
Summary
CVE-2024-52799 is a high-severity Execution with Unnecessary Privileges (CWE-250) vulnerability. Its CVSS base score is 8.2 (High).
Operationally, ranked at the 15.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-46054
Vulnerability details
Argo Workflows Chart is used to set up argo and its needed dependencies through one command. Prior to 0.44.0, the workflow-role has excessive privileges, the worst being create pods/exec, which will allow kubectl exec into any Pod in the same…
more
namespace, i.e. arbitrary code execution within those Pods. If a user can be made to run a malicious template, their whole namespace can be compromised. This affects versions of the argo-workflows Chart that use appVersion: 3.4 and above, which no longer need these permissions for the only available Executor, Emissary. It could also affect users below 3.4 depending on their choice of Executor in those versions. This only affects the Helm Chart and not the upstream manifests. This vulnerability is fixed in 0.44.0.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Automatic termination after a defined period eliminates unnecessary privileges from persistent connections.
Separating user-facing code from system management functions directly prevents execution of privileged operations from untrusted user contexts.
Isolating security functions allows them to execute with only the privileges they require while preventing non-security code from inheriting or accessing those privileges.
Policy promotes least privilege by defining necessary privileges and management commitment to them.
Supervision detects and allows removal of unnecessary privileges that enable execution with excess rights.
Use of granular security and privacy attributes enables finer access control than coarse permission models alone.
Reviewing accounts for compliance, disabling/removing unneeded accounts, and aligning with termination processes prevents execution with unnecessary privileges.
Separation of duties prevents any single user from holding all privileges needed to complete a critical task, directly reducing execution with unnecessary privileges.