2275189 – (CVE-2024-31990) CVE-2024-31990 argo-cd: API server does not enforce project sourceNamespaces

Bug 2275189 (CVE-2024-31990) - CVE-2024-31990 argo-cd: API server does not enforce project sourceNamespaces

Summary: CVE-2024-31990 argo-cd: API server does not enforce project sourceNamespaces

Keywords:
Status:	NEW
Alias:	CVE-2024-31990
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2276400 2276401 2276402 2276403 2276404
Blocks:	2275191
TreeView+	depends on / blocked

Reported:	2024-04-15 21:35 UTC by Robb Gatica
Modified:	2024-04-22 12:26 UTC (History)
CC List:	6 users (show)
Fixed In Version:	argo-cd 2.10.7, argo-cd 2.9.12, argo-cd 2.8.16
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Argo CD. The API server does not enforce project sourceNamespaces, which can allow an attacker to use the UI to edit resources which should only be mutable via gitops.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Robb Gatica 2024-04-15 21:35:34 UTC

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not enforce project sourceNamespaces which allows attackers to use the UI to edit resources which should only be mutable via gitops. This vulenrability is fixed in 2.10.7, 2.9.12, and 2.8.16.

https://github.com/argoproj/argo-cd/commit/c514105af739eebedb9dbe89d8a6dd8dfc30bb2c
https://github.com/argoproj/argo-cd/commit/c5a252c4cc260e240e2074794aedb861d07e9ca5
https://github.com/argoproj/argo-cd/commit/e0ff56d89fbd7d066e9c862b30337f6520f13f17
https://github.com/argoproj/argo-cd/security/advisories/GHSA-2gvw-w6fj-7m3c

Note You need to log in before you can comment on or make changes to this bug.