CVE-2024-31989 CRITICAL

CVE-2024-31989: ArgoCD Vulnerable to Use of Risky or Missing Cryptographic Algorithms in Redis Cache

Vendor Argoproj
Product argo-cd
Weakness CWE-327 · Broken crypto
Published May 21, 2024
Last update August 2, 2024

CVSS base score

9.1/10
Attack vector Adjacent
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It has been discovered that an unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379. Despite having installed the latest version of the VPC CNI plugin on the EKS cluster, it requires manual enablement through configuration to enforce network policies. This raises concerns that many clients might unknowingly have open access to their Redis servers. This vulnerability could lead to Privilege Escalation to the level of cluster controller, or to information leakage, affecting anyone who does not have strict access controls on their Redis instance. This issue has been patched in version(s) 2.8.19, 2.9.15 and 2.10.10.

Key dates

02Disclosure timeline

May 21, 2024 CVE published
August 2, 2024 Record updated