CVE-2024-31990
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-31990
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-31990.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-31990
- Aliases
- Related
- Published
- 2024-04-15T20:15:11Z
- Modified
- 2024-10-08T04:11:00.204616Z
- Summary
- [none]
- Details
-
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not enforce project sourceNamespaces which allows attackers to use the UI to edit resources which should only be mutable via gitops. This vulenrability is fixed in 2.10.7, 2.9.12, and 2.8.16.
- References
-
- https://github.com/argoproj/argo-cd/security/advisories/GHSA-2gvw-w6fj-7m3c
- https://github.com/argoproj/argo-cd/commit/c514105af739eebedb9dbe89d8a6dd8dfc30bb2c
- https://github.com/argoproj/argo-cd/commit/c5a252c4cc260e240e2074794aedb861d07e9ca5
- https://github.com/argoproj/argo-cd/commit/e0ff56d89fbd7d066e9c862b30337f6520f13f17
Affected packages
Git / github.com/argoproj/argo-cd
Affected ranges
- Type
- GIT
- Repo
- https://github.com/argoproj/argo-cd
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixedFixed
Affected versions
v0.*
v0.1.0
v0.2.0
v0.3.0
v0.3.1
v0.3.2
v0.3.3
v0.4.0
v0.4.0-alpha1
v0.4.1
v0.4.2
v0.4.3
v0.4.4
v0.4.5
v0.5.0
v0.5.1
v0.5.2
v0.6.0
v0.6.1
v0.7.0
v0.7.1
v0.8.0
v2.*
v2.10.0
v2.10.0-rc1
v2.10.0-rc2
v2.10.0-rc3
v2.10.0-rc4
v2.10.0-rc5
v2.10.1
v2.10.2
v2.10.3
v2.10.4
v2.10.5
v2.10.6
v2.8.0
v2.8.0-rc1
v2.8.0-rc2
v2.8.0-rc3
v2.8.0-rc4
v2.8.0-rc5
v2.8.0-rc6
v2.8.0-rc7
v2.8.1
v2.8.10
v2.8.11
v2.8.12
v2.8.13
v2.8.14
v2.8.15
v2.8.2
v2.8.3
v2.8.4
v2.8.5
v2.8.6
v2.8.7
v2.8.8
v2.8.9
v2.9.0
v2.9.0-rc1
v2.9.0-rc2
v2.9.0-rc3
v2.9.0-rc4
v2.9.1
v2.9.11
v2.9.2
v2.9.3
v2.9.4
v2.9.5
v2.9.6
v2.9.7
v2.9.8
v2.9.9