CVE-2024-31990
Argo CD' API server does not enforce project sourceNamespaces
4.8
MEDIUM
CVSS 3.1
EPSS 0.11%
Description
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not enforce project sourceNamespaces which allows attackers to use the UI to edit resources which should only be mutable via gitops. This vulenrability is fixed in 2.10.7, 2.9.12, and 2.8.16.
How to fix CVE-2024-31990
To remediate CVE-2024-31990, upgrade the affected package to a fixed version below.
- —upgrade to 2.10.7 or later
- —no fix listed
- —upgrade to 2.8.16 or later
- —upgrade to 2.8.16 or later
Is CVE-2024-31990 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- >= 2.4.0, < 2.10.7
- from 0
- >= 2.4.0, < 2.8.16
- >= 2.4.0, < 2.8.16, >= 2.9.0, < 2.9.12, >= 2.10.0, < 2.10.7
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.8 | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H |