CVE-2024-31989

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-31989
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-31989.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-31989
Aliases
Related
Published
2024-05-21T19:08:48.102Z
Modified
2026-05-28T03:54:23.293086986Z
Severity
  • 9.0 (Critical) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
ArgoCD Vulnerable to Use of Risky or Missing Cryptographic Algorithms in Redis Cache
Details

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It has been discovered that an unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379. Despite having installed the latest version of the VPC CNI plugin on the EKS cluster, it requires manual enablement through configuration to enforce network policies. This raises concerns that many clients might unknowingly have open access to their Redis servers. This vulnerability could lead to Privilege Escalation to the level of cluster controller, or to information leakage, affecting anyone who does not have strict access controls on their Redis instance. This issue has been patched in version(s) 2.8.19, 2.9.15 and 2.10.10.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/31xxx/CVE-2024-31989.json",
    "cwe_ids": [
        "CWE-327"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/argoproj/argo-cd

Affected ranges

Type
GIT
Repo
https://github.com/argoproj/argo-cd
Events
Introduced
f491935eb9c9508eb575b239c1393276838f712e
Fixed
9f40df0c29eca7e45a73f802f033dfd1ed0068e3

Affected versions

v2.*
v2.11.0
v2.11.0-rc1
v2.11.0-rc2
v2.11.0-rc3

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-31989.json"