Vulnerability Description
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not enforce project sourceNamespaces which allows attackers to use the UI to edit resources which should only be mutable via gitops. This vulenrability is fixed in 2.10.7, 2.9.12, and 2.8.16.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Argoproj | Argo Cd | >= 2.4.0, < 2.8.16 |
Related Weaknesses (CWE)
References
- https://github.com/argoproj/argo-cd/commit/c514105af739eebedb9dbe89d8a6dd8dfc30bPatch
- https://github.com/argoproj/argo-cd/commit/c5a252c4cc260e240e2074794aedb861d07e9Patch
- https://github.com/argoproj/argo-cd/commit/e0ff56d89fbd7d066e9c862b30337f6520f13Patch
- https://github.com/argoproj/argo-cd/security/advisories/GHSA-2gvw-w6fj-7m3cVendor Advisory
- https://github.com/argoproj/argo-cd/commit/c514105af739eebedb9dbe89d8a6dd8dfc30bPatch
- https://github.com/argoproj/argo-cd/commit/c5a252c4cc260e240e2074794aedb861d07e9Patch
- https://github.com/argoproj/argo-cd/commit/e0ff56d89fbd7d066e9c862b30337f6520f13Patch
- https://github.com/argoproj/argo-cd/security/advisories/GHSA-2gvw-w6fj-7m3cVendor Advisory
FAQ
What is CVE-2024-31990?
CVE-2024-31990 is a vulnerability with a CVSS score of 4.8 (MEDIUM). Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not enforce project sourceNamespaces which allows attackers to use the UI to edit resources which should o...
How severe is CVE-2024-31990?
CVE-2024-31990 has been rated MEDIUM with a CVSS base score of 4.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-31990?
Check the references section above for vendor advisories and patch information. Affected products include: Argoproj Argo Cd.