BIT-argo-cd-2024-31990

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/argo-cd/BIT-argo-cd-2024-31990.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-argo-cd-2024-31990

Aliases

Published

2024-04-17T07:16:36.280Z

Modified

2024-06-04T16:56:42.670164Z

Summary

[none]

Details

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not enforce project sourceNamespaces which allows attackers to use the UI to edit resources which should only be mutable via gitops. This vulenrability is fixed in 2.10.7, 2.9.12, and 2.8.16.

Database specific

{
    "cpes": [
        "cpe:2.3:a:linuxfoundation:argo_continuous_delivery:*:*:*:*:*:kubernetes:*:*"
    ],
    "severity": "Medium"
}

References

Affected packages

Bitnami / argo-cd

Package

Name: argo-cd
Purl: pkg:bitnami/argo-cd

Severity

4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

2.10.0

Fixed

2.10.7

Introduced

2.9.0

Fixed

2.9.12

Introduced

2.4.0

Fixed

2.8.16