cbcvebase.
CVE-2024-31989
published 2024-05-21

CVE-2024-31989: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It has been discovered that an unprivileged pod in a different namespace on the same…

PriorityP353critical9CVSS 3.1
AVAACLPRLUINSCCHIHAH
EPSS
1.48%
70.7th percentile
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It has been discovered that an unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379. Despite having installed the latest version of the VPC CNI plugin on the EKS cluster, it requires manual enablement through configuration to enforce network policies. This raises concerns that many clients might unknowingly have open access to their Redis servers. This vulnerability could lead to Privilege Escalation to the level of cluster controller, or to information leakage, affecting anyone who does not have strict access controls on their Redis instance. This issue has been patched in version(s) 2.8.19, 2.9.15 and 2.10.10.

Affected

14 ranges
VendorProductVersion rangeFixed in
argoprojargo-cd< 2.8.192.8.19
argoprojargo-cd<= 1.8.7
argoprojargo-cd
argoprojargo-cd
argoprojargo-cd
argoprojargo_cd< 2.8.192.8.19
argoprojargo_cd>= 2.10.0 < 2.10.102.10.10
argoprojargo_cd>= 2.11.0 < 2.11.12.11.1
argoprojargo_cd>= 2.9.0 < 2.9.152.9.15
github.comargoproj_argo-cd0 – 1.8.7
github.comargoproj_argo-cd_v2>= 0 < 2.8.192.8.19
github.comargoproj_argo-cd_v2>= 2.10.0-rc1 < 2.10.102.10.10
github.comargoproj_argo-cd_v2>= 2.11.0-rc1 < 2.11.12.11.1
github.comargoproj_argo-cd_v2>= 2.9.0-rc1 < 2.9.152.9.15

Detection & IOCsextracted from sources · hover to see the quote

port6379
  • Monitor for unexpected cross-namespace connections to Redis on port 6379 within Kubernetes clusters running Argo CD.
  • Alert on modifications to the 'mfst' (manifest) key in the Argo CD Redis cache, which could indicate an attacker attempting to inject malicious deployments.
  • Detect unauthorized read/write access to the Argo CD Redis instance, which could indicate privilege escalation attempts toward cluster controller level.
  • ·EKS clusters with the VPC CNI plugin installed are NOT automatically protected — network policy enforcement requires manual enablement via configuration. Many deployments may unknowingly expose Redis.
  • ·Patched versions are 2.8.19, 2.9.15, and 2.10.10. Deployments on earlier versions remain vulnerable regardless of network plugin version.

CVSS provenance

nvdv3.19.0CRITICALCVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vendor_redhat9.0CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.