-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2024-31989 #2877
Labels
Comments
Change https://go.dev/cl/590277 mentions this issue: |
This was referenced Jun 5, 2024
Closed
Change https://go.dev/cl/606359 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Aug 19, 2024
- data/reports/GO-2024-2642.yaml - data/reports/GO-2024-2644.yaml - data/reports/GO-2024-2645.yaml - data/reports/GO-2024-2664.yaml - data/reports/GO-2024-2665.yaml - data/reports/GO-2024-2675.yaml - data/reports/GO-2024-2684.yaml - data/reports/GO-2024-2690.yaml - data/reports/GO-2024-2697.yaml - data/reports/GO-2024-2704.yaml - data/reports/GO-2024-2707.yaml - data/reports/GO-2024-2718.yaml - data/reports/GO-2024-2719.yaml - data/reports/GO-2024-2728.yaml - data/reports/GO-2024-2741.yaml - data/reports/GO-2024-2752.yaml - data/reports/GO-2024-2757.yaml - data/reports/GO-2024-2769.yaml - data/reports/GO-2024-2792.yaml - data/reports/GO-2024-2801.yaml - data/reports/GO-2024-2815.yaml - data/reports/GO-2024-2843.yaml - data/reports/GO-2024-2844.yaml - data/reports/GO-2024-2847.yaml - data/reports/GO-2024-2848.yaml - data/reports/GO-2024-2851.yaml - data/reports/GO-2024-2852.yaml - data/reports/GO-2024-2854.yaml - data/reports/GO-2024-2855.yaml - data/reports/GO-2024-2856.yaml - data/reports/GO-2024-2857.yaml - data/reports/GO-2024-2858.yaml - data/reports/GO-2024-2866.yaml - data/reports/GO-2024-2867.yaml - data/reports/GO-2024-2877.yaml - data/reports/GO-2024-2886.yaml - data/reports/GO-2024-2891.yaml - data/reports/GO-2024-2898.yaml - data/reports/GO-2024-2901.yaml - data/reports/GO-2024-2902.yaml - data/reports/GO-2024-2905.yaml - data/reports/GO-2024-2911.yaml - data/reports/GO-2024-2917.yaml - data/reports/GO-2024-2919.yaml - data/reports/GO-2024-2922.yaml - data/reports/GO-2024-2939.yaml - data/reports/GO-2024-2941.yaml - data/reports/GO-2024-2972.yaml - data/reports/GO-2024-2981.yaml - data/reports/GO-2024-2987.yaml Updates #2642 Updates #2644 Updates #2645 Updates #2664 Updates #2665 Updates #2675 Updates #2684 Updates #2690 Updates #2697 Updates #2704 Updates #2707 Updates #2718 Updates #2719 Updates #2728 Updates #2741 Updates #2752 Updates #2757 Updates #2769 Updates #2792 Updates #2801 Updates #2815 Updates #2843 Updates #2844 Updates #2847 Updates #2848 Updates #2851 Updates #2852 Updates #2854 Updates #2855 Updates #2856 Updates #2857 Updates #2858 Updates #2866 Updates #2867 Updates #2877 Updates #2886 Updates #2891 Updates #2898 Updates #2901 Updates #2902 Updates #2905 Updates #2911 Updates #2917 Updates #2919 Updates #2922 Updates #2939 Updates #2941 Updates #2972 Updates #2981 Updates #2987 Change-Id: I2dff127628eabc7c25afa4020c15a4d35a46a2c4 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606359 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Damien Neil <dneil@google.com>
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
CVE-2024-31989 references github.com/argoproj/argo-cd, which may be a Go module.
Description:
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It has been discovered that an unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379. Despite having installed the latest version of the VPC CNI plugin on the EKS cluster, it requires manual enablement through configuration to enforce network policies. This raises concerns that many clients might unknowingly have open access to their Redis servers. This vulnerability could lead to Privilege Escalation to the level of cluster controller, or to information leakage, affecting anyone who does not have strict access controls on their Redis instance. This issue has been patched in version(s) 2.8.19, 2.9.15 and 2.10.10.
References:
Cross references:
See doc/triage.md for instructions on how to triage this report.
The text was updated successfully, but these errors were encountered: