Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It has been discovered that an unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379. Despite having installed the latest version of the VPC CNI plugin on the EKS cluster, it requires manual enablement through configuration to enforce network policies. This raises concerns that many clients might unknowingly have open access to their Redis servers. This vulnerability could lead to Privilege Escalation to the level of cluster controller, or to information leakage, affecting anyone who does not have strict access controls on their Redis instance. This issue has been patched in version(s) 2.8.19, 2.9.15 and 2.10.10.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-05-21T19:08:48.102Z

Updated: 2024-08-02T01:59:50.839Z

Reserved: 2024-04-08T13:48:37.491Z

Link: CVE-2024-31989

cve-icon Vulnrichment

Updated: 2024-05-22T14:58:43.998Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-05-21T19:15:09.770

Modified: 2024-11-21T09:14:17.543

Link: CVE-2024-31989

cve-icon Redhat

Severity : Important

Publid Date: 2024-05-15T00:00:00Z

Links: CVE-2024-31989 - Bugzilla