GitHub_MVULNRICHMENT:CVE-2024-31990CVE-2024-31990 Argo CD' API server does not enforce project sourceNamespaces
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H
AI Score
Confidence
Low
SSVC
Exploitation
none
Automatable
no
Technical Impact
partial
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not enforce project sourceNamespaces which allows attackers to use the UI to edit resources which should only be mutable via gitops. This vulenrability is fixed in 2.10.7, 2.9.12, and 2.8.16.
ADP Affected
[
{
"cpes": [
"cpe:2.3:a:kubernetes:argo-cd:*:*:*:*:*:*:*:*"
],
"vendor": "kubernetes",
"product": "argo-cd",
"versions": [
{
"status": "affected",
"version": "*"
}
],
"defaultStatus": "unknown"
}
]References
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H
AI Score
Confidence
Low
SSVC
Exploitation
none
Automatable
no
Technical Impact
partial