Unprivileged Pods Can Connect to Redis Server on Port 6379, Raising Security Concerns
CVE-2024-31989

9CRITICAL

Key Information:

Vendor: Argoproj
Status: Argo-cd
Vendor: CVE Published:; 21 May 2024

Badges

👾 Exploit Exists

What is CVE-2024-31989?

The Argo CD tool, a prominent solution for GitOps-based continuous delivery in Kubernetes, has a vulnerability that permits an unprivileged pod located in a different namespace within the same cluster to connect to the Redis server on port 6379. This issue arises despite the installation of the latest VPC CNI plugin on the EKS cluster, which mandates manual configuration to enforce network policies correctly. This oversight can lead to unintended exposure of Redis servers, potentially allowing unauthorized access to cluster controller privileges or leaking sensitive information. Affected users are advised to patch their installations to versions 2.8.19, 2.9.15, or 2.10.10 to mitigate these risks.

Affected Version(s)

argo-cd < 2.8.19 < 2.8.19

argo-cd >= 2.9.0-rc1, < 2.9.15 < 2.9.0-rc1, 2.9.15

argo-cd >= 2.10.0-rc1, < 2.10.10 < 2.10.0-rc1, 2.10.10

References

https://github.com/argoproj/argo-cd/security/advisories/G...

x_refsource_CONFIRM

https://github.com/argoproj/argo-cd/commit/2de0ceade24303...

x_refsource_MISC

https://github.com/argoproj/argo-cd/commit/35a7d6c7fa1534...

x_refsource_MISC

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jul 17, 2024
👾
Exploit known to exist
Jul 17, 2024
Vulnerability published
May 21, 2024

Argoproj

Badges

What is CVE-2024-31989?

Affected Version(s)

References

CVSS V3.1

Timeline