CVE-2024-31990
published 2024-04-15CVE-2024-31990: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not enforce project sourceNamespaces which allows attackers to…
PriorityP338medium6.3CVSS 3.1
AVNACLPRLUINSUCLILAL
EPSS
0.45%
35.5th percentile
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not enforce project sourceNamespaces which allows attackers to use the UI to edit resources which should only be mutable via gitops. This vulenrability is fixed in 2.10.7, 2.9.12, and 2.8.16.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| argoproj | argo-cd | — | — |
| argoproj | argo-cd | — | — |
| argoproj | argo-cd | — | — |
| argoproj | argo_cd | >= 2.10.0 < 2.10.7 | 2.10.7 |
| argoproj | argo_cd | >= 2.4.0 < 2.8.16 | 2.8.16 |
| argoproj | argo_cd | >= 2.9.0 < 2.9.12 | 2.9.12 |
| github.com | argoproj_argo-cd_v2 | >= 2.10.0 < 2.10.7 | 2.10.7 |
| github.com | argoproj_argo-cd_v2 | >= 2.4.0 < 2.8.16 | 2.8.16 |
| github.com | argoproj_argo-cd_v2 | >= 2.9.0 < 2.9.12 | 2.9.12 |
CVSS provenance
nvdv3.16.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
vendor_redhat4.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
argo-cd: API server does not enforce project sourceNamespaces
vendor_redhat·2024-04-15·CVSS 4.8
CVE-2024-31990 [MEDIUM] CWE-863 argo-cd: API server does not enforce project sourceNamespaces
argo-cd: API server does not enforce project sourceNamespaces
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not enforce project sourceNamespaces which allows attackers to use the UI to edit resources which should only be mutable via gitops. This vulenrability is fixed in 2.10.7, 2.9.12, and 2.8.16.
A flaw was found in Argo CD. The API server does not enforce project sourceNamespaces, which can allow an attacker to use the UI to edit resources which should only be mutable via gitops.
Package: odf4/odr-rhel9-operator (Red Hat Openshift Data Foundation 4) - Affected
Package: openshift-gitops-1/argocd-rhel9 (Red Hat OpenShift GitOps) - Affected
OSV
Argo CD's API server does not enforce project sourceNamespaces in github.com/argoproj/argo-cd
osv·2024-06-04
CVE-2024-31990 Argo CD's API server does not enforce project sourceNamespaces in github.com/argoproj/argo-cd
Argo CD's API server does not enforce project sourceNamespaces in github.com/argoproj/argo-cd
Argo CD's API server does not enforce project sourceNamespaces in github.com/argoproj/argo-cd
OSV
Argo CD's API server does not enforce project sourceNamespaces
osv·2024-04-15
CVE-2024-31990 [MEDIUM] Argo CD's API server does not enforce project sourceNamespaces
Argo CD's API server does not enforce project sourceNamespaces
### Impact
I can convince the UI to let me do things with an invalid Application.
1. Admin gives me `p, michael, applications, *, demo/*, allow`, where `demo` can just deploy to the `demo` namespace
2. Admin gives me AppProject `dev` which reconciles from ns `dev-apps`
3. Admin gives me `p, michael, applications, sync, dev/*, allow`, i.e. no updating via the UI allowed, gitops-only
4. I create an Application called `pwn` in `dev-apps` with project dev and sync the app with sources from git
5. I change the Application’s project to demo via kubectl or gitops (whichever mechanism my admins have given me, because it should be safe)
6. I use the UI to edit the resource which should only be mutable via gitops
### Patches
A patch f
GHSA
Argo CD's API server does not enforce project sourceNamespaces
ghsa·2024-04-15
CVE-2024-31990 [MEDIUM] CWE-863 Argo CD's API server does not enforce project sourceNamespaces
Argo CD's API server does not enforce project sourceNamespaces
### Impact
I can convince the UI to let me do things with an invalid Application.
1. Admin gives me `p, michael, applications, *, demo/*, allow`, where `demo` can just deploy to the `demo` namespace
2. Admin gives me AppProject `dev` which reconciles from ns `dev-apps`
3. Admin gives me `p, michael, applications, sync, dev/*, allow`, i.e. no updating via the UI allowed, gitops-only
4. I create an Application called `pwn` in `dev-apps` with project dev and sync the app with sources from git
5. I change the Application’s project to demo via kubectl or gitops (whichever mechanism my admins have given me, because it should be safe)
6. I use the UI to edit the resource which should only be mutable via gitops
### Patches
A patch f
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/argoproj/argo-cd/commit/c514105af739eebedb9dbe89d8a6dd8dfc30bb2chttps://github.com/argoproj/argo-cd/commit/c5a252c4cc260e240e2074794aedb861d07e9ca5https://github.com/argoproj/argo-cd/commit/e0ff56d89fbd7d066e9c862b30337f6520f13f17https://github.com/argoproj/argo-cd/security/advisories/GHSA-2gvw-w6fj-7m3chttps://github.com/argoproj/argo-cd/commit/c514105af739eebedb9dbe89d8a6dd8dfc30bb2chttps://github.com/argoproj/argo-cd/commit/c5a252c4cc260e240e2074794aedb861d07e9ca5https://github.com/argoproj/argo-cd/commit/e0ff56d89fbd7d066e9c862b30337f6520f13f17https://github.com/argoproj/argo-cd/security/advisories/GHSA-2gvw-w6fj-7m3c
2024-04-15
Published