Bug 2275189 (CVE-2024-31990)

Summary: CVE-2024-31990 argo-cd: API server does not enforce project sourceNamespaces
Product: [Other] Security Response Reporter: Robb Gatica <rgatica>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amctagga, anjoseph, jprabhak
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: argo-cd 2.10.7, argo-cd 2.9.12, argo-cd 2.8.16 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Argo CD. The API server does not enforce project sourceNamespaces, which can allow an attacker to use the UI to edit resources which should only be mutable via gitops.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2276400, 2276401, 2276402, 2276403, 2276404    
Bug Blocks: 2275191    

Description Robb Gatica 2024-04-15 21:35:34 UTC 
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not enforce project sourceNamespaces which allows attackers to use the UI to edit resources which should only be mutable via gitops. This vulenrability is fixed in 2.10.7, 2.9.12, and 2.8.16.

https://github.com/argoproj/argo-cd/commit/c514105af739eebedb9dbe89d8a6dd8dfc30bb2c
https://github.com/argoproj/argo-cd/commit/c5a252c4cc260e240e2074794aedb861d07e9ca5
https://github.com/argoproj/argo-cd/commit/e0ff56d89fbd7d066e9c862b30337f6520f13f17
https://github.com/argoproj/argo-cd/security/advisories/GHSA-2gvw-w6fj-7m3c
Comment 3 errata-xmlrpc 2024-05-10 19:16:45 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.12

Via RHSA-2024:2816 https://access.redhat.com/errata/RHSA-2024:2816