Vulnerability-Lookup

CVE-2024-31990 (GCVE-0-2024-31990)

Vulnerability from cvelistv5 – Published: 2024-04-15 19:52 – Updated: 2024-08-02 01:59

Title

Argo CD' API server does not enforce project sourceNamespaces

Summary

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not enforce project sourceNamespaces which allows attackers to use the UI to edit resources which should only be mutable via gitops. This vulenrability is fixed in 2.10.7, 2.9.12, and 2.8.16.

Severity ?

4.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H

CWE

CWE-863 - Incorrect Authorization

Assigner

GitHub_M

References

URL

Tags

	https://github.com/argoproj/argo-cd/security/advi…	x_refsource_CONFIRM
	https://github.com/argoproj/argo-cd/commit/c51410…	x_refsource_MISC
	https://github.com/argoproj/argo-cd/commit/c5a252…	x_refsource_MISC
	https://github.com/argoproj/argo-cd/commit/e0ff56…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	argoproj	argo-cd	Affected: >= 2.10.0, < 2.10.7 Affected: >= 2.9.0, < 2.9.12 Affected: >= 2.4.0, < 2.8.16

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:kubernetes:argo-cd:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "argo-cd",
            "vendor": "kubernetes",
            "versions": [
              {
                "status": "affected",
                "version": "*"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-31990",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-23T18:46:24.506220Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:35:59.749Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T01:59:50.786Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2gvw-w6fj-7m3c",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2gvw-w6fj-7m3c"
          },
          {
            "name": "https://github.com/argoproj/argo-cd/commit/c514105af739eebedb9dbe89d8a6dd8dfc30bb2c",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/argoproj/argo-cd/commit/c514105af739eebedb9dbe89d8a6dd8dfc30bb2c"
          },
          {
            "name": "https://github.com/argoproj/argo-cd/commit/c5a252c4cc260e240e2074794aedb861d07e9ca5",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/argoproj/argo-cd/commit/c5a252c4cc260e240e2074794aedb861d07e9ca5"
          },
          {
            "name": "https://github.com/argoproj/argo-cd/commit/e0ff56d89fbd7d066e9c862b30337f6520f13f17",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/argoproj/argo-cd/commit/e0ff56d89fbd7d066e9c862b30337f6520f13f17"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "argo-cd",
          "vendor": "argoproj",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2.10.0, \u003c 2.10.7"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.9.0, \u003c 2.9.12"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.4.0, \u003c 2.8.16"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not enforce project sourceNamespaces which allows attackers to use the UI to edit resources which should only be mutable via gitops. This vulenrability is fixed in 2.10.7, 2.9.12, and 2.8.16.\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "CWE-863: Incorrect Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-04-15T19:52:55.718Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2gvw-w6fj-7m3c",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2gvw-w6fj-7m3c"
        },
        {
          "name": "https://github.com/argoproj/argo-cd/commit/c514105af739eebedb9dbe89d8a6dd8dfc30bb2c",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/argoproj/argo-cd/commit/c514105af739eebedb9dbe89d8a6dd8dfc30bb2c"
        },
        {
          "name": "https://github.com/argoproj/argo-cd/commit/c5a252c4cc260e240e2074794aedb861d07e9ca5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/argoproj/argo-cd/commit/c5a252c4cc260e240e2074794aedb861d07e9ca5"
        },
        {
          "name": "https://github.com/argoproj/argo-cd/commit/e0ff56d89fbd7d066e9c862b30337f6520f13f17",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/argoproj/argo-cd/commit/e0ff56d89fbd7d066e9c862b30337f6520f13f17"
        }
      ],
      "source": {
        "advisory": "GHSA-2gvw-w6fj-7m3c",
        "discovery": "UNKNOWN"
      },
      "title": "Argo CD\u0027 API server does not enforce project sourceNamespaces"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-31990",
    "datePublished": "2024-04-15T19:52:55.718Z",
    "dateReserved": "2024-04-08T13:48:37.491Z",
    "dateUpdated": "2024-08-02T01:59:50.786Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"Argo CD\u0027 API server does not enforce project sourceNamespaces\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-863\", \"lang\": \"en\", \"description\": \"CWE-863: Incorrect Authorization\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"HIGH\", \"baseScore\": 4.8, \"baseSeverity\": \"MEDIUM\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"REQUIRED\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/argoproj/argo-cd/security/advisories/GHSA-2gvw-w6fj-7m3c\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/argoproj/argo-cd/security/advisories/GHSA-2gvw-w6fj-7m3c\"}, {\"name\": \"https://github.com/argoproj/argo-cd/commit/c514105af739eebedb9dbe89d8a6dd8dfc30bb2c\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/argoproj/argo-cd/commit/c514105af739eebedb9dbe89d8a6dd8dfc30bb2c\"}, {\"name\": \"https://github.com/argoproj/argo-cd/commit/c5a252c4cc260e240e2074794aedb861d07e9ca5\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/argoproj/argo-cd/commit/c5a252c4cc260e240e2074794aedb861d07e9ca5\"}, {\"name\": \"https://github.com/argoproj/argo-cd/commit/e0ff56d89fbd7d066e9c862b30337f6520f13f17\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/argoproj/argo-cd/commit/e0ff56d89fbd7d066e9c862b30337f6520f13f17\"}], \"affected\": [{\"vendor\": \"argoproj\", \"product\": \"argo-cd\", \"versions\": [{\"version\": \"\u003e= 2.10.0, \u003c 2.10.7\", \"status\": \"affected\"}, {\"version\": \"\u003e= 2.9.0, \u003c 2.9.12\", \"status\": \"affected\"}, {\"version\": \"\u003e= 2.4.0, \u003c 2.8.16\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-04-15T19:52:55.718Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not enforce project sourceNamespaces which allows attackers to use the UI to edit resources which should only be mutable via gitops. This vulenrability is fixed in 2.10.7, 2.9.12, and 2.8.16.\\n\"}], \"source\": {\"advisory\": \"GHSA-2gvw-w6fj-7m3c\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-31990\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-04-23T18:46:24.506220Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:kubernetes:argo-cd:*:*:*:*:*:*:*:*\"], \"vendor\": \"kubernetes\", \"product\": \"argo-cd\", \"versions\": [{\"status\": \"affected\", \"version\": \"*\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-04-23T18:46:13.817Z\"}, \"title\": \"CISA ADP Vulnrichment\"}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-31990\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2024-04-08T13:48:37.491Z\", \"datePublished\": \"2024-04-15T19:52:55.718Z\", \"dateUpdated\": \"2024-06-04T17:35:59.749Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2024-31990

Vulnerability from fkie_nvd - Published: 2024-04-15 20:15 - Updated: 2025-01-09 17:04

Severity ?

4.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/argoproj/argo-cd/commit/c514105af739eebedb9dbe89d8a6dd8dfc30bb2c	Patch
security-advisories@github.com	https://github.com/argoproj/argo-cd/commit/c5a252c4cc260e240e2074794aedb861d07e9ca5	Patch
security-advisories@github.com	https://github.com/argoproj/argo-cd/commit/e0ff56d89fbd7d066e9c862b30337f6520f13f17	Patch
security-advisories@github.com	https://github.com/argoproj/argo-cd/security/advisories/GHSA-2gvw-w6fj-7m3c	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/argoproj/argo-cd/commit/c514105af739eebedb9dbe89d8a6dd8dfc30bb2c	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/argoproj/argo-cd/commit/c5a252c4cc260e240e2074794aedb861d07e9ca5	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/argoproj/argo-cd/commit/e0ff56d89fbd7d066e9c862b30337f6520f13f17	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/argoproj/argo-cd/security/advisories/GHSA-2gvw-w6fj-7m3c	Vendor Advisory

Impacted products

Vendor	Product	Version
argoproj	argo_cd	*
argoproj	argo_cd	*
argoproj	argo_cd	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9B87AF18-0754-4EA4-B6D6-B29F1DD75590",
              "versionEndExcluding": "2.8.16",
              "versionStartIncluding": "2.4.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5FBE3254-59C6-4CA7-AE67-673BA527A8DE",
              "versionEndExcluding": "2.9.12",
              "versionStartIncluding": "2.9.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "71FAC3BD-2DF6-400F-813C-A98370A10F0A",
              "versionEndExcluding": "2.10.7",
              "versionStartIncluding": "2.10.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not enforce project sourceNamespaces which allows attackers to use the UI to edit resources which should only be mutable via gitops. This vulenrability is fixed in 2.10.7, 2.9.12, and 2.8.16.\n"
    },
    {
      "lang": "es",
      "value": "Argo CD es una herramienta declarativa de entrega continua de GitOps para Kubernetes. El servidor API no aplica los espacios de nombres de origen del proyecto, lo que permite a los atacantes usar la interfaz de usuario para editar recursos que solo deber\u00edan poder modificarse a trav\u00e9s de gitops. Esta vulnerabilidad se corrigi\u00f3 en 2.10.7, 2.9.12 y 2.8.16."
    }
  ],
  "id": "CVE-2024-31990",
  "lastModified": "2025-01-09T17:04:35.590",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 4.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 6.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-04-15T20:15:11.127",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/argoproj/argo-cd/commit/c514105af739eebedb9dbe89d8a6dd8dfc30bb2c"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/argoproj/argo-cd/commit/c5a252c4cc260e240e2074794aedb861d07e9ca5"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/argoproj/argo-cd/commit/e0ff56d89fbd7d066e9c862b30337f6520f13f17"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2gvw-w6fj-7m3c"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/argoproj/argo-cd/commit/c514105af739eebedb9dbe89d8a6dd8dfc30bb2c"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/argoproj/argo-cd/commit/c5a252c4cc260e240e2074794aedb861d07e9ca5"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/argoproj/argo-cd/commit/e0ff56d89fbd7d066e9c862b30337f6520f13f17"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2gvw-w6fj-7m3c"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2024-31990

Vulnerability from gsd - Updated: 2024-04-11 05:03

Details

Aliases

CVE-2024-31990

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-31990"
      ],
      "details": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not enforce project sourceNamespaces which allows attackers to use the UI to edit resources which should only be mutable via gitops. This vulenrability is fixed in 2.10.7, 2.9.12, and 2.8.16.\n",
      "id": "GSD-2024-31990",
      "modified": "2024-04-11T05:03:20.633956Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2024-31990",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "argo-cd",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 2.10.0, \u003c 2.10.7"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 2.9.0, \u003c 2.9.12"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 2.4.0, \u003c 2.8.16"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "argoproj"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not enforce project sourceNamespaces which allows attackers to use the UI to edit resources which should only be mutable via gitops. This vulenrability is fixed in 2.10.7, 2.9.12, and 2.8.16.\n"
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-863",
                "lang": "eng",
                "value": "CWE-863: Incorrect Authorization"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2gvw-w6fj-7m3c",
            "refsource": "MISC",
            "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2gvw-w6fj-7m3c"
          },
          {
            "name": "https://github.com/argoproj/argo-cd/commit/c514105af739eebedb9dbe89d8a6dd8dfc30bb2c",
            "refsource": "MISC",
            "url": "https://github.com/argoproj/argo-cd/commit/c514105af739eebedb9dbe89d8a6dd8dfc30bb2c"
          },
          {
            "name": "https://github.com/argoproj/argo-cd/commit/c5a252c4cc260e240e2074794aedb861d07e9ca5",
            "refsource": "MISC",
            "url": "https://github.com/argoproj/argo-cd/commit/c5a252c4cc260e240e2074794aedb861d07e9ca5"
          },
          {
            "name": "https://github.com/argoproj/argo-cd/commit/e0ff56d89fbd7d066e9c862b30337f6520f13f17",
            "refsource": "MISC",
            "url": "https://github.com/argoproj/argo-cd/commit/e0ff56d89fbd7d066e9c862b30337f6520f13f17"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-2gvw-w6fj-7m3c",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "descriptions": [
          {
            "lang": "en",
            "value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not enforce project sourceNamespaces which allows attackers to use the UI to edit resources which should only be mutable via gitops. This vulenrability is fixed in 2.10.7, 2.9.12, and 2.8.16.\n"
          },
          {
            "lang": "es",
            "value": "Argo CD es una herramienta declarativa de entrega continua de GitOps para Kubernetes. El servidor API no aplica los espacios de nombres de origen del proyecto, lo que permite a los atacantes usar la interfaz de usuario para editar recursos que solo deber\u00edan poder modificarse a trav\u00e9s de gitops. Esta vulnerabilidad se corrigi\u00f3 en 2.10.7, 2.9.12 y 2.8.16."
          }
        ],
        "id": "CVE-2024-31990",
        "lastModified": "2024-04-16T13:24:07.103",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 1.2,
              "impactScore": 3.6,
              "source": "security-advisories@github.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2024-04-15T20:15:11.127",
        "references": [
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/argoproj/argo-cd/commit/c514105af739eebedb9dbe89d8a6dd8dfc30bb2c"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/argoproj/argo-cd/commit/c5a252c4cc260e240e2074794aedb861d07e9ca5"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/argoproj/argo-cd/commit/e0ff56d89fbd7d066e9c862b30337f6520f13f17"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2gvw-w6fj-7m3c"
          }
        ],
        "sourceIdentifier": "security-advisories@github.com",
        "vulnStatus": "Awaiting Analysis",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-863"
              }
            ],
            "source": "security-advisories@github.com",
            "type": "Secondary"
          }
        ]
      }
    }
  }
}

GHSA-2GVW-W6FJ-7M3C

Vulnerability from github – Published: 2024-04-15 20:20 – Updated: 2024-04-15 21:37

Summary

Argo CD's API server does not enforce project sourceNamespaces

Details

Impact

I can convince the UI to let me do things with an invalid Application. 1. Admin gives me p, michael, applications, *, demo/*, allow, where demo can just deploy to the demo namespace 2. Admin gives me AppProject dev which reconciles from ns dev-apps 3. Admin gives me p, michael, applications, sync, dev/*, allow, i.e. no updating via the UI allowed, gitops-only 4. I create an Application called pwn in dev-apps with project dev and sync the app with sources from git 5. I change the Application’s project to demo via kubectl or gitops (whichever mechanism my admins have given me, because it should be safe) 6. I use the UI to edit the resource which should only be mutable via gitops

Patches

A patch for this vulnerability has been released in the following Argo CD versions:

v2.10.7 v2.9.12 v2.8.16

For more information

If you have any questions or comments about this advisory:

Open an issue in the Argo CD issue tracker or discussions Join us on Slack in channel #argo-cd

Credits

This vulnerability was found & reported by @crenshaw-dev (Michael Crenshaw)

The Argo team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue

Severity ?

4.8 (Medium)


                  
                    CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.8.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.9.0"
            },
            {
              "fixed": "2.9.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.10.0"
            },
            {
              "fixed": "2.10.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-31990"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-15T20:20:50Z",
    "nvd_published_at": "2024-04-15T20:15:11Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nI can convince the UI to let me do things with an invalid Application.\n1. Admin gives me `p, michael, applications, *, demo/*, allow`, where `demo` can just deploy to the `demo` namespace\n2. Admin gives me AppProject `dev` which reconciles from ns `dev-apps`\n3. Admin gives me `p, michael, applications, sync, dev/*, allow`, i.e. no updating via the UI allowed, gitops-only\n4. I create an Application called `pwn` in `dev-apps` with project dev and sync the app with sources from git\n5. I change the Application\u2019s project to demo via kubectl or gitops (whichever mechanism my admins have given me, because it should be safe)\n6. I use the UI to edit the resource which should only be mutable via gitops\n\n### Patches\nA patch for this vulnerability has been released in the following Argo CD versions:\n\nv2.10.7 \nv2.9.12 \nv2.8.16\n\n### For more information\nIf you have any questions or comments about this advisory:\n\nOpen an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://github.com/argoproj/argo-cd/discussions)\nJoin us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd\n\n### Credits\nThis vulnerability was found \u0026 reported by @crenshaw-dev (Michael Crenshaw)\n\nThe Argo team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue\n",
  "id": "GHSA-2gvw-w6fj-7m3c",
  "modified": "2024-04-15T21:37:22Z",
  "published": "2024-04-15T20:20:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2gvw-w6fj-7m3c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31990"
    },
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-cd/commit/c514105af739eebedb9dbe89d8a6dd8dfc30bb2c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-cd/commit/c5a252c4cc260e240e2074794aedb861d07e9ca5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-cd/commit/e0ff56d89fbd7d066e9c862b30337f6520f13f17"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/argoproj/argo-cd"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Argo CD\u0027s API server does not enforce project sourceNamespaces"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-31990 (GCVE-0-2024-31990)

FKIE_CVE-2024-31990

GSD-2024-31990

GHSA-2GVW-W6FJ-7M3C

Impact

Patches

For more information

Credits

Tags

Sightings

Nomenclature