CVE-2024-31989
published 2024-05-21CVE-2024-31989: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It has been discovered that an unprivileged pod in a different namespace on the same…
PriorityP353critical9CVSS 3.1
AVAACLPRLUINSCCHIHAH
EPSS
1.48%
70.7th percentile
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It has been discovered that an unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379. Despite having installed the latest version of the VPC CNI plugin on the EKS cluster, it requires manual enablement through configuration to enforce network policies. This raises concerns that many clients might unknowingly have open access to their Redis servers. This vulnerability could lead to Privilege Escalation to the level of cluster controller, or to information leakage, affecting anyone who does not have strict access controls on their Redis instance. This issue has been patched in version(s) 2.8.19, 2.9.15 and 2.10.10.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| argoproj | argo-cd | < 2.8.19 | 2.8.19 |
| argoproj | argo-cd | <= 1.8.7 | — |
| argoproj | argo-cd | — | — |
| argoproj | argo-cd | — | — |
| argoproj | argo-cd | — | — |
| argoproj | argo_cd | < 2.8.19 | 2.8.19 |
| argoproj | argo_cd | >= 2.10.0 < 2.10.10 | 2.10.10 |
| argoproj | argo_cd | >= 2.11.0 < 2.11.1 | 2.11.1 |
| argoproj | argo_cd | >= 2.9.0 < 2.9.15 | 2.9.15 |
| github.com | argoproj_argo-cd | 0 – 1.8.7 | — |
| github.com | argoproj_argo-cd_v2 | >= 0 < 2.8.19 | 2.8.19 |
| github.com | argoproj_argo-cd_v2 | >= 2.10.0-rc1 < 2.10.10 | 2.10.10 |
| github.com | argoproj_argo-cd_v2 | >= 2.11.0-rc1 < 2.11.1 | 2.11.1 |
| github.com | argoproj_argo-cd_v2 | >= 2.9.0-rc1 < 2.9.15 | 2.9.15 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unexpected cross-namespace connections to Redis on port 6379 within Kubernetes clusters running Argo CD. ↗
- →Alert on modifications to the 'mfst' (manifest) key in the Argo CD Redis cache, which could indicate an attacker attempting to inject malicious deployments. ↗
- →Detect unauthorized read/write access to the Argo CD Redis instance, which could indicate privilege escalation attempts toward cluster controller level. ↗
- ·EKS clusters with the VPC CNI plugin installed are NOT automatically protected — network policy enforcement requires manual enablement via configuration. Many deployments may unknowingly expose Redis. ↗
- ·Patched versions are 2.8.19, 2.9.15, and 2.10.10. Deployments on earlier versions remain vulnerable regardless of network plugin version. ↗
CVSS provenance
nvdv3.19.0CRITICALCVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vendor_redhat9.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
ArgoCD Vulnerable to Use of Risky or Missing Cryptographic Algorithms in Redis Cache in github.com/argoproj/argo-cd
osv·2024-06-05
CVE-2024-31989 ArgoCD Vulnerable to Use of Risky or Missing Cryptographic Algorithms in Redis Cache in github.com/argoproj/argo-cd
ArgoCD Vulnerable to Use of Risky or Missing Cryptographic Algorithms in Redis Cache in github.com/argoproj/argo-cd
ArgoCD Vulnerable to Use of Risky or Missing Cryptographic Algorithms in Redis Cache in github.com/argoproj/argo-cd
GHSA
ArgoCD Vulnerable to Use of Risky or Missing Cryptographic Algorithms in Redis Cache
ghsa·2024-05-21
CVE-2024-31989 [CRITICAL] CWE-327 ArgoCD Vulnerable to Use of Risky or Missing Cryptographic Algorithms in Redis Cache
ArgoCD Vulnerable to Use of Risky or Missing Cryptographic Algorithms in Redis Cache
### Summary
By default, the Redis database server is not password-protected. Consequently, an attacker with access to the Redis server can gain read/write access to the data in Redis. The attacker can also modify the "mfst" (manifest) key to cause ArgoCD to execute any deployment, potentially leveraging ArgoCD's high privileges to take over the cluster. Updating the "cacheEntryHash" in the manifest JSON is necessary, but since it doesn't use a private key for signing its integrity, a simple script can generate a new FNV64a hash matching the new manifest values. The repo-server, unable to verify if its cache is compromised, will read the altered "mfst" key and initiate an update process for the injected de
OSV
ArgoCD Vulnerable to Use of Risky or Missing Cryptographic Algorithms in Redis Cache
osv·2024-05-21
CVE-2024-31989 [CRITICAL] ArgoCD Vulnerable to Use of Risky or Missing Cryptographic Algorithms in Redis Cache
ArgoCD Vulnerable to Use of Risky or Missing Cryptographic Algorithms in Redis Cache
### Summary
By default, the Redis database server is not password-protected. Consequently, an attacker with access to the Redis server can gain read/write access to the data in Redis. The attacker can also modify the "mfst" (manifest) key to cause ArgoCD to execute any deployment, potentially leveraging ArgoCD's high privileges to take over the cluster. Updating the "cacheEntryHash" in the manifest JSON is necessary, but since it doesn't use a private key for signing its integrity, a simple script can generate a new FNV64a hash matching the new manifest values. The repo-server, unable to verify if its cache is compromised, will read the altered "mfst" key and initiate an update process for the injected de
Red Hat
argocd: Use of Risky or Missing Cryptographic Algorithms in Redis Cache
vendor_redhat·2024-05-15·CVSS 9.0
CVE-2024-31989 [CRITICAL] CWE-1240 argocd: Use of Risky or Missing Cryptographic Algorithms in Redis Cache
argocd: Use of Risky or Missing Cryptographic Algorithms in Redis Cache
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It has been discovered that an unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379. Despite having installed the latest version of the VPC CNI plugin on the EKS cluster, it requires manual enablement through configuration to enforce network policies. This raises concerns that many clients might unknowingly have open access to their Redis servers. This vulnerability could lead to Privilege Escalation to the level of cluster controller, or to information leakage, affecting anyone who does not have strict access controls on their Redis instance. This issue has been patched in version(s) 2.8.1
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/argoproj/argo-cd/commit/2de0ceade243039c120c28374016c04ff9590d1dhttps://github.com/argoproj/argo-cd/commit/35a7d6c7fa1534aceba763d6a68697f36c12e678https://github.com/argoproj/argo-cd/commit/4e2fe302c3352a0012ecbe7f03476b0e07f7fc6chttps://github.com/argoproj/argo-cd/commit/53570cbd143bced49d4376d6e31bd9c7bd2659ffhttps://github.com/argoproj/argo-cd/commit/6ef7b62a0f67e74b4aac2aee31c98ae49dd95d12https://github.com/argoproj/argo-cd/commit/9552034a80070a93a161bfa330359585f3b85f07https://github.com/argoproj/argo-cd/commit/bdd889d43969ba738ddd15e1f674d27964048994https://github.com/argoproj/argo-cd/commit/f1a449e83ee73f8f14d441563b6a31b504f8d8b0https://github.com/argoproj/argo-cd/security/advisories/GHSA-9766-5277-j5hrhttps://github.com/argoproj/argo-cd/commit/2de0ceade243039c120c28374016c04ff9590d1dhttps://github.com/argoproj/argo-cd/commit/35a7d6c7fa1534aceba763d6a68697f36c12e678https://github.com/argoproj/argo-cd/commit/4e2fe302c3352a0012ecbe7f03476b0e07f7fc6chttps://github.com/argoproj/argo-cd/commit/53570cbd143bced49d4376d6e31bd9c7bd2659ffhttps://github.com/argoproj/argo-cd/commit/6ef7b62a0f67e74b4aac2aee31c98ae49dd95d12https://github.com/argoproj/argo-cd/commit/9552034a80070a93a161bfa330359585f3b85f07https://github.com/argoproj/argo-cd/commit/bdd889d43969ba738ddd15e1f674d27964048994https://github.com/argoproj/argo-cd/commit/f1a449e83ee73f8f14d441563b6a31b504f8d8b0https://github.com/argoproj/argo-cd/security/advisories/GHSA-9766-5277-j5hr
2024-05-21
Published