x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/v2: GHSA-58fx-7v9q-3g56 #3427

GoVulnBot · 2025-01-28T21:01:26Z

Advisory GHSA-58fx-7v9q-3g56 references a vulnerability in the following Go modules:

Module
github.com/argoproj/argo-cd
github.com/argoproj/argo-cd/v2

Description:
A flaw was found in ArgoCD. The openshift.io/cluster-monitoring label is applied to all namespaces that deploy an ArgoCD CR instance, allowing the namespace to create a rogue PrometheusRule. This issue can have adverse effects on the platform monitoring stack, as the rule is rolled out cluster-wide when the label is applied.

References:

ADVISORY: GHSA-58fx-7v9q-3g56
ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-13484
WEB: https://access.redhat.com/security/cve/CVE-2024-13484
WEB: https://bugzilla.redhat.com/show_bug.cgi?id=2269376

Cross references:

github.com/argoproj/argo-cd appears in 37 other report(s):
- data/excluded/GO-2024-2470.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2024-22424 #2470) EFFECTIVELY_PRIVATE
- data/reports/GO-2022-0304.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24348 #304)
- data/reports/GO-2022-0357.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24730 #357)
- data/reports/GO-2022-0358.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24731 #358)
- data/reports/GO-2022-0359.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24768 #359)
- data/reports/GO-2022-0387.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: GHSA-6w87-g839-9wv7 #387)
- data/reports/GO-2022-0453.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24904 #453)
- data/reports/GO-2022-0454.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24905 #454)
- data/reports/GO-2022-0455.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-29165 #455)
- data/reports/GO-2022-0495.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31016 #495)
- data/reports/GO-2022-0497.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31034 #497)
- data/reports/GO-2022-0498.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31035 #498)
- data/reports/GO-2022-0499.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31036 #499)
- data/reports/GO-2022-0516.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-1025 #516)
- data/reports/GO-2022-0517.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31102 #517)
- data/reports/GO-2022-0518.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31105 #518)
- data/reports/GO-2022-0869.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/v2: GHSA-qq5v-f4c3-395c #869)
- data/reports/GO-2022-0882.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/util/session: GHSA-vj54-cjrx-x696 #882)
- data/reports/GO-2022-0892.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/util/cache: GHSA-xcqr-9h24-vrgw #892)
- data/reports/GO-2023-1512.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: GHSA-6p4m-hw2h-6gmw #1512)
- data/reports/GO-2023-1520.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: GHSA-q9hr-j4rf-8fjc #1520)
- data/reports/GO-2023-1577.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2023-23947 #1577)
- data/reports/GO-2023-1670.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/v2: GHSA-2q5c-qw9c-fmvq #1670)
- data/reports/GO-2023-1952.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/v2: GHSA-xj7v-c82w-92q2 #1952)
- data/reports/GO-2023-2018.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: GHSA-c8xw-vjgf-94hr #2018)
- data/reports/GO-2023-2049.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2023-40029 #2049)
- data/reports/GO-2023-2050.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2023-40584 #2050)
- data/reports/GO-2023-2085.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/v2: GHSA-6jqw-jwf5-rp8h #2085)
- data/reports/GO-2024-2643.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/v2: GHSA-g623-jcgg-mhmm #2643)
- data/reports/GO-2024-2646.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/v2: GHSA-jwv5-8mqv-g387 #2646)
- data/reports/GO-2024-2728.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2024-31990 #2728)
- data/reports/GO-2024-2792.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2024-32476 #2792)
- data/reports/GO-2024-2877.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2024-31989 #2877)
- data/reports/GO-2024-2898.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2024-36106 #2898)
- data/reports/GO-2024-2902.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2024-37152 #2902)
- data/reports/GO-2024-3002.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/v2: GHSA-jmvp-698c-4x3w #3002)
- data/reports/GO-2024-3006.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2024-41666 #3006)
github.com/argoproj/argo-cd/v2 appears in 35 other report(s):
- data/reports/GO-2022-0304.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24348 #304)
- data/reports/GO-2022-0357.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24730 #357)
- data/reports/GO-2022-0358.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24731 #358)
- data/reports/GO-2022-0359.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24768 #359)
- data/reports/GO-2022-0453.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24904 #453)
- data/reports/GO-2022-0454.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24905 #454)
- data/reports/GO-2022-0455.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-29165 #455)
- data/reports/GO-2022-0495.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31016 #495)
- data/reports/GO-2022-0497.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31034 #497)
- data/reports/GO-2022-0498.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31035 #498)
- data/reports/GO-2022-0499.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31036 #499)
- data/reports/GO-2022-0516.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-1025 #516)
- data/reports/GO-2022-0517.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31102 #517)
- data/reports/GO-2022-0518.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31105 #518)
- data/reports/GO-2023-1512.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: GHSA-6p4m-hw2h-6gmw #1512)
- data/reports/GO-2023-1520.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: GHSA-q9hr-j4rf-8fjc #1520)
- data/reports/GO-2023-1548.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2023-25163 #1548)
- data/reports/GO-2023-1577.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2023-23947 #1577)
- data/reports/GO-2023-1670.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/v2: GHSA-2q5c-qw9c-fmvq #1670)
- data/reports/GO-2023-2018.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: GHSA-c8xw-vjgf-94hr #2018)
- data/reports/GO-2023-2049.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2023-40029 #2049)
- data/reports/GO-2023-2050.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2023-40584 #2050)
- data/reports/GO-2023-2085.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/v2: GHSA-6jqw-jwf5-rp8h #2085)
- data/reports/GO-2024-2643.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/v2: GHSA-g623-jcgg-mhmm #2643)
- data/reports/GO-2024-2646.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/v2: GHSA-jwv5-8mqv-g387 #2646)
- data/reports/GO-2024-2652.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: GHSA-2vgg-9h6w-m454 #2652)
- data/reports/GO-2024-2654.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: GHSA-6v85-wr92-q4p7 #2654)
- data/reports/GO-2024-2667.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/v2: GHSA-jhwx-mhww-rgc3 #2667)
- data/reports/GO-2024-2728.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2024-31990 #2728)
- data/reports/GO-2024-2792.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2024-32476 #2792)
- data/reports/GO-2024-2877.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2024-31989 #2877)
- data/reports/GO-2024-2898.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2024-36106 #2898)
- data/reports/GO-2024-2902.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2024-37152 #2902)
- data/reports/GO-2024-3002.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/v2: GHSA-jmvp-698c-4x3w #3002)
- data/reports/GO-2024-3006.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2024-41666 #3006)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/argoproj/argo-cd
      vulnerable_at: 1.8.6
    - module: github.com/argoproj/argo-cd/v2
      vulnerable_at: 2.13.3
summary: ArgoCD Namespace Isolation Break in github.com/argoproj/argo-cd
cves:
    - CVE-2024-13484
ghsas:
    - GHSA-58fx-7v9q-3g56
references:
    - advisory: https://github.com/advisories/GHSA-58fx-7v9q-3g56
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-13484
    - web: https://access.redhat.com/security/cve/CVE-2024-13484
    - web: https://bugzilla.redhat.com/show_bug.cgi?id=2269376
source:
    id: GHSA-58fx-7v9q-3g56
    created: 2025-01-28T21:01:26.364543577Z
review_status: UNREVIEWED

The text was updated successfully, but these errors were encountered:

gopherbot · 2025-01-28T22:23:40Z

Change https://go.dev/cl/645137 mentions this issue: data/reports: add 3 unreviewed reports

GoVulnBot added the NeedsTriage label Jan 28, 2025

tatianab added triaged and removed NeedsTriage labels Jan 28, 2025

gopherbot closed this as completed in 08f71b7 Jan 29, 2025

GoVulnBot mentioned this issue Jan 30, 2025

x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2025-23216 #3433

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/v2: GHSA-58fx-7v9q-3g56 #3427

x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/v2: GHSA-58fx-7v9q-3g56 #3427

GoVulnBot commented Jan 28, 2025

gopherbot commented Jan 28, 2025

x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/v2: GHSA-58fx-7v9q-3g56 #3427

x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/v2: GHSA-58fx-7v9q-3g56 #3427

Comments

GoVulnBot commented Jan 28, 2025

gopherbot commented Jan 28, 2025