CVE-2024-31989

Disclosure Date: May 21, 2024 •

CVE-2024-31989 CVSS v3 Base Score: 9.0

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It has been discovered that an unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379. Despite having installed the latest version of the VPC CNI plugin on the EKS cluster, it requires manual enablement through configuration to enforce network policies. This raises concerns that many clients might unknowingly have open access to their Redis servers. This vulnerability could lead to Privilege Escalation to the level of cluster controller, or to information leakage, affecting anyone who does not have strict access controls on their Redis instance. This issue has been patched in version(s) 2.8.19, 2.9.15 and 2.10.10.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

9.0 Critical

Impact Score:

Exploitability Score:

2.3

Vector:

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector (AV):

Adjacent_network

Attack Complexity (AC):

Low

Privileges Required (PR):

Low

User Interaction (UI):

None

Scope (S):

Changed

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

argoproj

Products

argo cd

References

Canonical

CVE-2024-31989 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31989)

Exploit

PoCs that have not been added by contributors directly have been sourced from: nomi-sec/PoC-in-GitHub.
A PoC added here by the AKB Worker must have at least 2 GitHub stars.

CVE-2024-31989 (https://github.com/vt0x78/CVE-2024-31989) (Added by AKB Worker)