CVE-2024-31990

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-31990

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-31990.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-31990

Aliases

Related

Published

2024-04-15T19:52:55Z

Modified

2025-10-15T09:24:08.362526Z

Severity

4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Argo CD' API server does not enforce project sourceNamespaces

Details

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not enforce project sourceNamespaces which allows attackers to use the UI to edit resources which should only be mutable via gitops. This vulenrability is fixed in 2.10.7, 2.9.12, and 2.8.16.

References

Affected packages

Git / github.com/argoproj/argo-cd

Affected ranges

Type: GIT
Repo: https://github.com/argoproj/argo-cd
Events: Introduced

2175939ed6156ddd743e60f427f7f48118c971bf

Fixed

b060053b099b4c81c1e635839a309c9c8c1863e9

Type: GIT
Repo: https://github.com/argoproj/argo-cd
Events: Introduced

9cf0c69bbe70393db40e5755e34715f30179ee09

Fixed

d6cb4e903f1802efff15682ef0ceddb1e1e69f97

Type: GIT
Repo: https://github.com/argoproj/argo-cd
Events: Introduced

91aefabc5b213a258ddcfe04b8e69bb4a2dd2566

Fixed

a5ae7bd16143814dc8560da0e476905ed1d46628

Affected versions

v2.*

v2.10.0

v2.10.1

v2.10.2

v2.10.3

v2.10.4

v2.10.5

v2.10.6

v2.9.0

v2.9.1

v2.9.11

v2.9.2

v2.9.3

v2.9.4

v2.9.5

v2.9.6

v2.9.7

v2.9.8

v2.9.9

Git / github.com/argoproj/argo-cd

Affected ranges

Database specific

{
    "unresolved_versions": [
        {
            "type": "",
            "events": [
                {
                    "introduced": "0"
                },
                {
                    "last_affected": "*"
                }
            ]
        }
    ]
}