CVE-2024-31990 Vulnerability Details

  /     /     /  

CVE-2024-31990 Metadata Quick Info

CVE Published: 15/04/2024 | CVE Updated: 02/08/2024 | CVE Year: 2024
Source: GitHub_M | Vendor: argoproj | Product: argo-cd
Status : PUBLISHED

---

CVE-2024-31990 Description

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not enforce project sourceNamespaces which allows attackers to use the UI to edit resources which should only be mutable via gitops. This vulenrability is fixed in 2.10.7, 2.9.12, and 2.8.16.

Metrics

CVSS Version: 3.1 | Base Score: 4.8 MEDIUM
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H

l➤ Exploitability Metrics:
    Attack Vector (AV)* NETWORK
    Attack Complexity (AC)* HIGH
    Privileges Required (PR)* LOW
    User Interaction (UI)* REQUIRED
    Scope (S)* UNCHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* NONE
    Integrity Impact (I)* NONE
    Availability Impact (A)* HIGH

Weakness Enumeration (CWE)

CWE-ID: CWE-863
CWE Name: CWE-863: Incorrect Authorization
Source: argoproj

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).