CVE-2024-31990

Опубликовано: 15 апр. 2024

Источник: redhat

CVSS3: 4.8

Описание

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not enforce project sourceNamespaces which allows attackers to use the UI to edit resources which should only be mutable via gitops. This vulenrability is fixed in 2.10.7, 2.9.12, and 2.8.16.

A flaw was found in Argo CD. The API server does not enforce project sourceNamespaces, which can allow an attacker to use the UI to edit resources which should only be mutable via gitops.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat Openshift Data Foundation 4	odf4/odr-rhel8-operator	Affected
Red Hat OpenShift GitOps	openshift-gitops-argocd-rhel9-container	Affected
Red Hat OpenShift GitOps 1.12	openshift-gitops-1/argocd-rhel8	Fixed	RHSA-2024:2816	10.05.2024
Red Hat OpenShift GitOps 1.12	openshift-gitops-1/argo-rollouts-rhel8	Fixed	RHSA-2024:2816	10.05.2024
Red Hat OpenShift GitOps 1.12	openshift-gitops-1/console-plugin-rhel8	Fixed	RHSA-2024:2816	10.05.2024
Red Hat OpenShift GitOps 1.12	openshift-gitops-1/dex-rhel8	Fixed	RHSA-2024:2816	10.05.2024
Red Hat OpenShift GitOps 1.12	openshift-gitops-1/gitops-operator-bundle	Fixed	RHSA-2024:2816	10.05.2024
Red Hat OpenShift GitOps 1.12	openshift-gitops-1/gitops-rhel8	Fixed	RHSA-2024:2816	10.05.2024
Red Hat OpenShift GitOps 1.12	openshift-gitops-1/gitops-rhel8-operator	Fixed	RHSA-2024:2816	10.05.2024
Red Hat OpenShift GitOps 1.12	openshift-gitops-1/kam-delivery-rhel8	Fixed	RHSA-2024:2816	10.05.2024

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-863

https://bugzilla.redhat.com/show_bug.cgi?id=2275189argo-cd: API server does not enforce project sourceNamespaces

4.8 Medium

CVSS3

Связанные уязвимости

CVE-2024-31990

CVSS3: 4.8

nvd

почти 2 года назад

GHSA-2gvw-w6fj-7m3c

CVSS3: 4.8

github

почти 2 года назад

Argo CD's API server does not enforce project sourceNamespaces

4.8 Medium

CVSS3