x/vulndb: potential Go vuln in github.com/argoproj/argo-workflows: CVE-2024-47827

Advisory CVE-2024-47827 references a vulnerability in the following Go modules:

Module
github.com/argoproj/argo-workflows

Description: Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Due to a race condition in a global variable in 3.6.0-rc1, the argo workflows controller can be made to crash on-command by any user with access to execute a workflow. This vulnerability is fixed in 3.6.0-rc2.

References:

Cross references:

github.com/argoproj/argo-workflows appears in 5 other report(s):
- data/excluded/GO-2022-0408.yaml (https://github.com/golang/vulndb/issues/408) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0445.yaml (https://github.com/golang/vulndb/issues/445) EFFECTIVELY_PRIVATE
- data/reports/GO-2022-0388.yaml (https://github.com/golang/vulndb/issues/388)
- data/reports/GO-2022-0405.yaml (https://github.com/golang/vulndb/issues/405)
- data/reports/GO-2022-0928.yaml (https://github.com/golang/vulndb/issues/928)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/argoproj/argo-workflows
      vulnerable_at: 0.4.7
summary: CVE-2024-47827 in github.com/argoproj/argo-workflows
cves:
    - CVE-2024-47827
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-47827
    - fix: https://github.com/argoproj/argo-workflows/commit/524406451f4dfa57bf3371fb85becdb56a2b309a
    - fix: https://github.com/argoproj/argo-workflows/pull/13641
    - web: https://github.com/argoproj/argo-workflows/blob/ce7f9bfb9b45f009b3e85fabe5e6410de23c7c5f/workflow/metrics/metrics_k8s_request.go#L75
    - web: https://github.com/argoproj/argo-workflows/security/advisories/GHSA-ghjw-32xw-ffwr
source:
    id: CVE-2024-47827
    created: 2024-10-28T17:01:19.215390854Z
review_status: UNREVIEWED

golang / vulndb

x/vulndb: potential Go vuln in github.com/argoproj/argo-workflows: CVE-2024-47827 #3226