CVE-2024-31989
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-31989
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-31989.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-31989
- Aliases
- Related
- Published
- 2024-05-21T19:15:09Z
- Modified
- 2024-10-08T04:11:27.429619Z
- Summary
- [none]
- Details
-
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It has been discovered that an unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379. Despite having installed the latest version of the VPC CNI plugin on the EKS cluster, it requires manual enablement through configuration to enforce network policies. This raises concerns that many clients might unknowingly have open access to their Redis servers. This vulnerability could lead to Privilege Escalation to the level of cluster controller, or to information leakage, affecting anyone who does not have strict access controls on their Redis instance. This issue has been patched in version(s) 2.8.19, 2.9.15 and 2.10.10.
- References
-
- https://github.com/argoproj/argo-cd/security/advisories/GHSA-9766-5277-j5hr
- https://github.com/argoproj/argo-cd/commit/2de0ceade243039c120c28374016c04ff9590d1d
- https://github.com/argoproj/argo-cd/commit/35a7d6c7fa1534aceba763d6a68697f36c12e678
- https://github.com/argoproj/argo-cd/commit/4e2fe302c3352a0012ecbe7f03476b0e07f7fc6c
- https://github.com/argoproj/argo-cd/commit/53570cbd143bced49d4376d6e31bd9c7bd2659ff
- https://github.com/argoproj/argo-cd/commit/6ef7b62a0f67e74b4aac2aee31c98ae49dd95d12
- https://github.com/argoproj/argo-cd/commit/9552034a80070a93a161bfa330359585f3b85f07
- https://github.com/argoproj/argo-cd/commit/bdd889d43969ba738ddd15e1f674d27964048994
- https://github.com/argoproj/argo-cd/commit/f1a449e83ee73f8f14d441563b6a31b504f8d8b0
Affected packages
Git / github.com/argoproj/argo-cd
Affected ranges
- Type
- GIT
- Repo
- https://github.com/argoproj/argo-cd
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixedFixedFixedFixedFixedFixedFixed
Affected versions
v0.*
v0.1.0
v0.2.0
v0.3.0
v0.3.1
v0.3.2
v0.3.3
v0.4.0
v0.4.0-alpha1
v0.4.1
v0.4.2
v0.4.3
v0.4.4
v0.4.5
v0.5.0
v0.5.1
v0.5.2
v0.6.0
v0.6.1
v0.7.0
v0.7.1
v0.8.0
v2.*
v2.10.0
v2.10.0-rc1
v2.10.0-rc2
v2.10.0-rc3
v2.10.0-rc4
v2.10.0-rc5
v2.10.1
v2.10.2
v2.10.3
v2.10.4
v2.10.5
v2.10.6
v2.10.7
v2.10.8
v2.10.9
v2.11.0
v2.11.0-rc1
v2.11.0-rc2
v2.11.0-rc3
v2.8.0
v2.8.0-rc1
v2.8.0-rc2
v2.8.0-rc3
v2.8.0-rc4
v2.8.0-rc5
v2.8.0-rc6
v2.8.0-rc7
v2.8.1
v2.8.10
v2.8.11
v2.8.12
v2.8.13
v2.8.14
v2.8.15
v2.8.16
v2.8.17
v2.8.18
v2.8.2
v2.8.3
v2.8.4
v2.8.5
v2.8.6
v2.8.7
v2.8.8
v2.8.9
v2.9.0
v2.9.0-rc1
v2.9.0-rc2
v2.9.0-rc3
v2.9.0-rc4
v2.9.1
v2.9.11
v2.9.12
v2.9.13
v2.9.14
v2.9.2
v2.9.3
v2.9.4
v2.9.5
v2.9.6
v2.9.7
v2.9.8
v2.9.9