​
DirectorySecurity Advisories
Sign In
Security Advisories

CVE-2024-31990

Published

Last updated

https://nvd.nist.gov/vuln/detail/CVE-2024-31990

Severity

4.8

Medium

CVSS V3

Summary

Argo CD's API server does not enforce project sourceNamespaces

Description

Impact

I can convince the UI to let me do things with an invalid Application.

  1. Admin gives me p, michael, applications, *, demo/*, allow, where demo can just deploy to the demo namespace
  2. Admin gives me AppProject dev which reconciles from ns dev-apps
  3. Admin gives me p, michael, applications, sync, dev/*, allow, i.e. no updating via the UI allowed, gitops-only
  4. I create an Application called pwn in dev-apps with project dev and sync the app with sources from git
  5. I change the Application’s project to demo via kubectl or gitops (whichever mechanism my admins have given me, because it should be safe)
  6. I use the UI to edit the resource which should only be mutable via gitops

Patches

A patch for this vulnerability has been released in the following Argo CD versions:

v2.10.7 v2.9.12 v2.8.16

For more information

If you have any questions or comments about this advisory:

Open an issue in the Argo CD issue tracker or discussions Join us on Slack in channel #argo-cd

Credits

This vulnerability was found & reported by @crenshaw-dev (Michael Crenshaw)

The Argo team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue

References

Affected packages


Media KitContact Us
© 2024 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Product

Chainguard Images