CVE-2024-31990: Argo CD' API server does not enforce project sourceNamespaces
First published: Mon Apr 15 2024(Updated: )
### Impact I can convince the UI to let me do things with an invalid Application. 1. Admin gives me `p, michael, applications, *, demo/*, allow`, where `demo` can just deploy to the `demo` namespace 2. Admin gives me AppProject `dev` which reconciles from ns `dev-apps` 3. Admin gives me `p, michael, applications, sync, dev/*, allow`, i.e. no updating via the UI allowed, gitops-only 4. I create an Application called `pwn` in `dev-apps` with project dev and sync the app with sources from git 5. I change the Application’s project to demo via kubectl or gitops (whichever mechanism my admins have given me, because it should be safe) 6. I use the UI to edit the resource which should only be mutable via gitops ### Patches A patch for this vulnerability has been released in the following Argo CD versions: v2.10.7 v2.9.12 v2.8.16 ### For more information If you have any questions or comments about this advisory: Open an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://github.com/argoproj/argo-cd/discussions) Join us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd ### Credits This vulnerability was found & reported by @crenshaw-dev (Michael Crenshaw) The Argo team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| go/github.com/argoproj/argo-cd/v2 | >=2.10.0<2.10.7 | 2.10.7 |
| go/github.com/argoproj/argo-cd/v2 | >=2.9.0<2.9.12 | 2.9.12 |
| go/github.com/argoproj/argo-cd/v2 | >=2.4.0<2.8.16 | 2.8.16 |
| redhat/argo-cd | <2.10.7 | 2.10.7 |
| redhat/argo-cd | <2.9.12 | 2.9.12 |
| redhat/argo-cd | <2.8.16 | 2.8.16 |
| Argoproj Argo Cd | >=2.4.0<2.8.16 | |
| Argoproj Argo Cd | >=2.9.0<2.9.12 | |
| Argoproj Argo Cd | >=2.10.0<2.10.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/argoproj/argo-cd/security/advisories/GHSA-2gvw-w6fj-7m3c
- https://github.com/argoproj/argo-cd/commit/c514105af739eebedb9dbe89d8a6dd8dfc30bb2c
- https://github.com/argoproj/argo-cd/commit/c5a252c4cc260e240e2074794aedb861d07e9ca5
- https://github.com/argoproj/argo-cd/commit/e0ff56d89fbd7d066e9c862b30337f6520f13f17
- https://nvd.nist.gov/vuln/detail/CVE-2024-31990
- https://github.com/advisories/GHSA-2gvw-w6fj-7m3c (Advisory)
- https://access.redhat.com/errata/RHSA-2024:2816
- https://bugzilla.redhat.com/show_bug.cgi?id=2275189
- agent/title
- agent/weakness
- agent/first-publish-date
- agent/type
- agent/event
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-2gvw-w6fj-7m3c
- alias/CVE-2024-31990
- agent/software-canonical-lookup
- collector/nvd-cve
- source/NVD
- agent/author
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/github-advisory
- agent/references
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- collector/mitre-cve
- source/MITRE
- agent/trending
- collector/nvd-api
- agent/last-modified-date
- agent/severity
- agent/remedy
- agent/softwarecombine
- agent/tags
- package-manager/go
- package-manager/redhat
- vendor/argoproj
- canonical/argoproj argo cd
- version/argoproj argo cd/2.4.0
- version/argoproj argo cd/2.9.0
- version/argoproj argo cd/2.10.0