VYPR
Critical severityNVD Advisory· Published May 21, 2024· Updated Aug 2, 2024

ArgoCD Vulnerable to Use of Risky or Missing Cryptographic Algorithms in Redis Cache

CVE-2024-31989

Description

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It has been discovered that an unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379. Despite having installed the latest version of the VPC CNI plugin on the EKS cluster, it requires manual enablement through configuration to enforce network policies. This raises concerns that many clients might unknowingly have open access to their Redis servers. This vulnerability could lead to Privilege Escalation to the level of cluster controller, or to information leakage, affecting anyone who does not have strict access controls on their Redis instance. This issue has been patched in version(s) 2.8.19, 2.9.15 and 2.10.10.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/argoproj/argo-cd/v2Go
< 2.8.192.8.19
github.com/argoproj/argo-cd/v2Go
>= 2.9.0-rc1, < 2.9.152.9.15
github.com/argoproj/argo-cd/v2Go
>= 2.10.0-rc1, < 2.10.102.10.10
github.com/argoproj/argo-cd/v2Go
>= 2.11.0-rc1, < 2.11.12.11.1
github.com/argoproj/argo-cdGo
<= 1.8.7

Affected products

31

Patches

Vulnerability mechanics

References

11

News mentions

0

No linked articles in our index yet.