Cyber Resilience

CVE-2024-52799

HighLPE

Published: 21 November 2024

Published
21 November 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0005 15.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-52799 is a high-severity Execution with Unnecessary Privileges (CWE-250) vulnerability. Its CVSS base score is 8.2 (High).

Operationally, ranked at the 15.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Argo Workflows Chart is used to set up argo and its needed dependencies through one command. Prior to 0.44.0, the workflow-role has excessive privileges, the worst being create pods/exec, which will allow kubectl exec into any Pod in the same…

more

namespace, i.e. arbitrary code execution within those Pods. If a user can be made to run a malicious template, their whole namespace can be compromised. This affects versions of the argo-workflows Chart that use appVersion: 3.4 and above, which no longer need these permissions for the only available Executor, Emissary. It could also affect users below 3.4 depending on their choice of Executor in those versions. This only affects the Helm Chart and not the upstream manifests. This vulnerability is fixed in 0.44.0.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-250 CWE-1220

Automatic termination after a defined period eliminates unnecessary privileges from persistent connections.

addresses: CWE-250 CWE-1220

Separating user-facing code from system management functions directly prevents execution of privileged operations from untrusted user contexts.

addresses: CWE-250 CWE-1220

Isolating security functions allows them to execute with only the privileges they require while preventing non-security code from inheriting or accessing those privileges.

addresses: CWE-250

Policy promotes least privilege by defining necessary privileges and management commitment to them.

addresses: CWE-250

Supervision detects and allows removal of unnecessary privileges that enable execution with excess rights.

addresses: CWE-1220

Use of granular security and privacy attributes enables finer access control than coarse permission models alone.

addresses: CWE-250

Reviewing accounts for compliance, disabling/removing unneeded accounts, and aligning with termination processes prevents execution with unnecessary privileges.

addresses: CWE-250

Separation of duties prevents any single user from holding all privileges needed to complete a critical task, directly reducing execution with unnecessary privileges.

References