CVE-2024-31989

Name of the Vulnerable Software and Affected Versions: Argo CD versions prior to 2.8.19 Argo CD versions prior to 2.9.15 Argo CD versions prior to 2.10.10

Description: The issue concerns an unprivileged pod in a different namespace on the same cluster being able to connect to the Redis server on port 6379, potentially leading to Privilege Escalation or information leakage. This is due to the Redis server not being password-protected by default and the lack of strict access controls. An attacker could modify the "mfst" key to cause ArgoCD to execute any deployment, or edit the "app|resources-tree" key to load any Kubernetes resource into the live manifest section of the app preview, resulting in information leakage.

Recommendations: For versions prior to 2.8.19, update to version 2.8.19 or later. For versions prior to 2.9.15, update to version 2.9.15 or later. For versions prior to 2.10.10, update to version 2.10.10 or later. As a temporary workaround, consider using NetworkPolicy to restrict communication with the Redis instance. Restrict access to the Redis server to only the pods application-controller, repo-server, and argocd-server. Enable the network policy plugin to enforce network policies.