VYPR
Get started
← All advisories
High severity8.2NVD Advisory· Published Jan 28, 2025· Updated Apr 15, 2026

CVE-2024-13484

CVE-2024-13484

Description

A flaw was found in openshift-gitops-operator-container. The openshift.io/cluster-monitoring label is applied to all namespaces that deploy an ArgoCD CR instance, allowing the namespace to create a rogue PrometheusRule. This issue can have adverse effects on the platform monitoring stack, as the rule is rolled out cluster-wide when the label is applied.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/redhat-developer/gitops-operatorGo
< 1.16.21.16.2

Patches

1
bc6ac3e03d7c

fix CVE namespace-isolation break (#897)

https://github.com/redhat-developer/gitops-operatorAnand Kumar SinghMay 26, 2025via ghsa
commit
2 files changed · +22 10
  • controllers/argocd_metrics_controller.go+12 3 modified
    @@ -109,14 +109,23 @@ func (r *ArgoCDMetricsReconciler) Reconcile(ctx context.Context, request reconci
 	}
 
 	const clusterMonitoringLabel = "openshift.io/cluster-monitoring"
-	labelVal, exists := namespace.Labels[clusterMonitoringLabel]
+	const userDefinedMonitoringLabel = "openshift.io/user-monitoring"
+	var labelVal, monitoringLabel string
+	var exists bool
+	if strings.HasPrefix(namespace.Name, "openshift-") {
+		labelVal, exists = namespace.Labels[clusterMonitoringLabel]
+		monitoringLabel = clusterMonitoringLabel
+	} else {
+		labelVal, exists = namespace.Labels[userDefinedMonitoringLabel]
+		monitoringLabel = userDefinedMonitoringLabel
+	}
 
 	if argocd.Spec.Monitoring.DisableMetrics == nil || !*argocd.Spec.Monitoring.DisableMetrics {
 		if !exists || labelVal != "true" {
 			if namespace.Labels == nil {
 				namespace.Labels = make(map[string]string)
 			}
-			namespace.Labels[clusterMonitoringLabel] = "true"
+			namespace.Labels[monitoringLabel] = "true"
 			err = r.Client.Update(ctx, &namespace)
 			if err != nil {
 				reqLogger.Error(err, "Error updating namespace",
@@ -178,7 +187,7 @@ func (r *ArgoCDMetricsReconciler) Reconcile(ctx context.Context, request reconci
 		}
 	} else {
 		if exists {
-			namespace.Labels[clusterMonitoringLabel] = "false"
+			namespace.Labels[monitoringLabel] = "false"
 			err = r.Client.Update(ctx, &namespace)
 			if err != nil {
 				reqLogger.Error(err, "Error updating namespace",
  • controllers/argocd_metrics_controller_test.go+10 7 modified
    @@ -81,16 +81,19 @@ func newMetricsReconciler(t *testing.T, namespace, name string, disableMetrics *
 
 func TestReconcile_add_namespace_label(t *testing.T) {
 	testCases := []struct {
-		instanceName string
-		namespace    string
+		instanceName  string
+		namespace     string
+		expectedLabel string
 	}{
 		{
-			instanceName: argoCDInstanceName,
-			namespace:    "openshift-gitops",
+			instanceName:  argoCDInstanceName,
+			namespace:     "openshift-gitops",
+			expectedLabel: "openshift.io/cluster-monitoring",
 		},
 		{
-			instanceName: "instance-two",
-			namespace:    "namespace-two",
+			instanceName:  "instance-two",
+			namespace:     "namespace-two",
+			expectedLabel: "openshift.io/user-monitoring",
 		},
 	}
 	for _, tc := range testCases {
@@ -101,7 +104,7 @@ func TestReconcile_add_namespace_label(t *testing.T) {
 		ns := corev1.Namespace{}
 		err = r.Client.Get(context.TODO(), types.NamespacedName{Name: tc.namespace}, &ns)
 		assert.NilError(t, err)
-		value := ns.Labels["openshift.io/cluster-monitoring"]
+		value := ns.Labels[tc.expectedLabel]
 		assert.Equal(t, value, "true")
 	}
 }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

13

News mentions

0

No linked articles in our index yet.