2269376 – (CVE-2024-13484) CVE-2024-13484 openshift-gitops-operator-container: Namespace Isolation Break

Bug 2269376 (CVE-2024-13484) - CVE-2024-13484 openshift-gitops-operator-container: Namespace Isolation Break

Summary: CVE-2024-13484 openshift-gitops-operator-container: Namespace Isolation Break

Keywords:
Status:	NEW
Alias:	CVE-2024-13484
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2269375
TreeView+	depends on / blocked

Reported:	2024-03-13 13:43 UTC by Patrick Del Bello
Modified:	2025-04-18 08:27 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Patrick Del Bello 2024-03-13 13:43:24 UTC

Currently argocd applies the label openshift.io/cluster-monitoring to all namespaces that deploy a ArgoCD CR instance. This then allows the namespace
to create a rogue PrometheusRule that can then have adverse effects on the platform monitoring stack. As the label is applied the rule is rolled out
cluster wide.

This gives anyone who has argocd instances deployed a way to escalate out of their namespace isolation and affect the entire cluster.

Note You need to log in before you can comment on or make changes to this bug.