Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2024-31989 #2877

Closed
GoVulnBot opened this issue May 21, 2024 · 2 comments
Labels

Comments

@GoVulnBot
Copy link

CVE-2024-31989 references github.com/argoproj/argo-cd, which may be a Go module.

Description:
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It has been discovered that an unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379. Despite having installed the latest version of the VPC CNI plugin on the EKS cluster, it requires manual enablement through configuration to enforce network policies. This raises concerns that many clients might unknowingly have open access to their Redis servers. This vulnerability could lead to Privilege Escalation to the level of cluster controller, or to information leakage, affecting anyone who does not have strict access controls on their Redis instance. This issue has been patched in version(s) 2.8.19, 2.9.15 and 2.10.10.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/argoproj/argo-cd
      vulnerable_at: 1.8.6
      packages:
        - package: argo-cd
summary: CVE-2024-31989 in github.com/argoproj/argo-cd
cves:
    - CVE-2024-31989
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-31989
    - fix: https://github.com/argoproj/argo-cd/commit/2de0ceade243039c120c28374016c04ff9590d1d
    - fix: https://github.com/argoproj/argo-cd/commit/35a7d6c7fa1534aceba763d6a68697f36c12e678
    - fix: https://github.com/argoproj/argo-cd/commit/4e2fe302c3352a0012ecbe7f03476b0e07f7fc6c
    - fix: https://github.com/argoproj/argo-cd/commit/53570cbd143bced49d4376d6e31bd9c7bd2659ff
    - fix: https://github.com/argoproj/argo-cd/commit/6ef7b62a0f67e74b4aac2aee31c98ae49dd95d12
    - fix: https://github.com/argoproj/argo-cd/commit/9552034a80070a93a161bfa330359585f3b85f07
    - fix: https://github.com/argoproj/argo-cd/commit/bdd889d43969ba738ddd15e1f674d27964048994
    - fix: https://github.com/argoproj/argo-cd/commit/f1a449e83ee73f8f14d441563b6a31b504f8d8b0
    - web: https://github.com/argoproj/argo-cd/security/advisories/GHSA-9766-5277-j5hr
source:
    id: CVE-2024-31989
    created: 2024-05-21T21:01:27.657641881Z
review_status: UNREVIEWED

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/590277 mentions this issue: data/reports: add 26 unreviewed reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/606359 mentions this issue: data/reports: regenerate 50 reports

gopherbot pushed a commit that referenced this issue Aug 19, 2024
  - data/reports/GO-2024-2642.yaml
  - data/reports/GO-2024-2644.yaml
  - data/reports/GO-2024-2645.yaml
  - data/reports/GO-2024-2664.yaml
  - data/reports/GO-2024-2665.yaml
  - data/reports/GO-2024-2675.yaml
  - data/reports/GO-2024-2684.yaml
  - data/reports/GO-2024-2690.yaml
  - data/reports/GO-2024-2697.yaml
  - data/reports/GO-2024-2704.yaml
  - data/reports/GO-2024-2707.yaml
  - data/reports/GO-2024-2718.yaml
  - data/reports/GO-2024-2719.yaml
  - data/reports/GO-2024-2728.yaml
  - data/reports/GO-2024-2741.yaml
  - data/reports/GO-2024-2752.yaml
  - data/reports/GO-2024-2757.yaml
  - data/reports/GO-2024-2769.yaml
  - data/reports/GO-2024-2792.yaml
  - data/reports/GO-2024-2801.yaml
  - data/reports/GO-2024-2815.yaml
  - data/reports/GO-2024-2843.yaml
  - data/reports/GO-2024-2844.yaml
  - data/reports/GO-2024-2847.yaml
  - data/reports/GO-2024-2848.yaml
  - data/reports/GO-2024-2851.yaml
  - data/reports/GO-2024-2852.yaml
  - data/reports/GO-2024-2854.yaml
  - data/reports/GO-2024-2855.yaml
  - data/reports/GO-2024-2856.yaml
  - data/reports/GO-2024-2857.yaml
  - data/reports/GO-2024-2858.yaml
  - data/reports/GO-2024-2866.yaml
  - data/reports/GO-2024-2867.yaml
  - data/reports/GO-2024-2877.yaml
  - data/reports/GO-2024-2886.yaml
  - data/reports/GO-2024-2891.yaml
  - data/reports/GO-2024-2898.yaml
  - data/reports/GO-2024-2901.yaml
  - data/reports/GO-2024-2902.yaml
  - data/reports/GO-2024-2905.yaml
  - data/reports/GO-2024-2911.yaml
  - data/reports/GO-2024-2917.yaml
  - data/reports/GO-2024-2919.yaml
  - data/reports/GO-2024-2922.yaml
  - data/reports/GO-2024-2939.yaml
  - data/reports/GO-2024-2941.yaml
  - data/reports/GO-2024-2972.yaml
  - data/reports/GO-2024-2981.yaml
  - data/reports/GO-2024-2987.yaml

Updates #2642
Updates #2644
Updates #2645
Updates #2664
Updates #2665
Updates #2675
Updates #2684
Updates #2690
Updates #2697
Updates #2704
Updates #2707
Updates #2718
Updates #2719
Updates #2728
Updates #2741
Updates #2752
Updates #2757
Updates #2769
Updates #2792
Updates #2801
Updates #2815
Updates #2843
Updates #2844
Updates #2847
Updates #2848
Updates #2851
Updates #2852
Updates #2854
Updates #2855
Updates #2856
Updates #2857
Updates #2858
Updates #2866
Updates #2867
Updates #2877
Updates #2886
Updates #2891
Updates #2898
Updates #2901
Updates #2902
Updates #2905
Updates #2911
Updates #2917
Updates #2919
Updates #2922
Updates #2939
Updates #2941
Updates #2972
Updates #2981
Updates #2987

Change-Id: I2dff127628eabc7c25afa4020c15a4d35a46a2c4
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606359
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants