CVE-2024-31990

MEDIUM4.8EPSS 0.11%

Argo CD's API server does not enforce project sourceNamespaces

發布日:2024/4/15修改日:2026/2/4

描述

### Impact I can convince the UI to let me do things with an invalid Application. 1. Admin gives me `p, michael, applications, *, demo/*, allow`, where `demo` can just deploy to the `demo` namespace 2. Admin gives me AppProject `dev` which reconciles from ns `dev-apps` 3. Admin gives me `p, michael, applications, sync, dev/*, allow`, i.e. no updating via the UI allowed, gitops-only 4. I create an Application called `pwn` in `dev-apps` with project dev and sync the app with sources from git 5. I change the Application’s project to demo via kubectl or gitops (whichever mechanism my admins have given me, because it should be safe) 6. I use the UI to edit the resource which should only be mutable via gitops ### Patches A patch for this vulnerability has been released in the following Argo CD versions: v2.10.7 v2.9.12 v2.8.16 ### For more information If you have any questions or comments about this advisory: Open an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://github.com/argoproj/argo-cd/discussions) Join us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd ### Credits This vulnerability was found & reported by @crenshaw-dev (Michael Crenshaw) The Argo team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue

受影響套件(4)

Bitnami/argo-cd>= 2.4.0, < 2.10.7
Go/github.com/argoproj/argo-cdfrom 0
Go/github.com/argoproj/argo-cd/v2>= 2.4.0, < 2.8.16
Go/github.com/argoproj/argo-cd/v2>= 2.4.0, < 2.8.16, >= 2.9.0, < 2.9.12, >= 2.10.0, < 2.10.7

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM4.8	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H

描述

受影響套件(4)

CVSS 分數

參考連結(6)