CVE-2024-31990

Name of the Vulnerable Software and Affected Versions Argo CD versions prior to 2.10.7 Argo CD versions prior to 2.9.12 Argo CD versions prior to 2.8.16

Description Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not enforce project sourceNamespaces, which allows attackers to use the UI to edit resources that should only be mutable via gitops. An attacker can exploit this by creating an Application in a specific namespace, changing its project, and then using the UI to edit the resource.

Recommendations For versions prior to 2.10.7, update to version 2.10.7 or later. For versions prior to 2.9.12, update to version 2.9.12 or later. For versions prior to 2.8.16, update to version 2.8.16 or later. As a temporary workaround, consider restricting access to the UI for editing resources to minimize the risk of exploitation.