x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2024-31990 #2728

GoVulnBot · 2024-04-15T21:01:25Z

CVE-2024-31990 references github.com/argoproj/argo-cd, which may be a Go module.

Description:
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not enforce project sourceNamespaces which allows attackers to use the UI to edit resources which should only be mutable via gitops. This vulenrability is fixed in 2.10.7, 2.9.12, and 2.8.16.

References:

NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-31990
JSON: https://github.com/CVEProject/cvelist/tree/90e9c4059d4527e1027c94573ad752efb9239d02/2024/31xxx/CVE-2024-31990.json
advisory: GHSA-2gvw-w6fj-7m3c
fix: argoproj/argo-cd@c514105
fix: argoproj/argo-cd@c5a252c
fix: argoproj/argo-cd@e0ff56d
Imported by: https://pkg.go.dev/github.com/argoproj/argo-cd?tab=importedby

Cross references:

Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24348 #304 EFFECTIVELY_PRIVATE
Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24730 #357 EFFECTIVELY_PRIVATE
Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24731 #358 EFFECTIVELY_PRIVATE
Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24768 #359 EFFECTIVELY_PRIVATE
Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: GHSA-6w87-g839-9wv7 #387 EFFECTIVELY_PRIVATE
Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24904 #453 EFFECTIVELY_PRIVATE
Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24905 #454 EFFECTIVELY_PRIVATE
Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-29165 #455 EFFECTIVELY_PRIVATE
Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31016 #495 EFFECTIVELY_PRIVATE
Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31034 #497 EFFECTIVELY_PRIVATE
Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31035 #498 EFFECTIVELY_PRIVATE
Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31036 #499 EFFECTIVELY_PRIVATE
Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-1025 #516 EFFECTIVELY_PRIVATE
Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31102 #517 EFFECTIVELY_PRIVATE
Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31105 #518 EFFECTIVELY_PRIVATE
Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/util/session: GHSA-vj54-cjrx-x696 #882 NOT_IMPORTABLE
Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/util/cache: GHSA-xcqr-9h24-vrgw #892 NOT_IMPORTABLE
Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: GHSA-6p4m-hw2h-6gmw #1512 NOT_IMPORTABLE
Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: GHSA-q9hr-j4rf-8fjc #1520 NOT_IMPORTABLE
Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2023-23947 #1577 EFFECTIVELY_PRIVATE
Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/v2: GHSA-2q5c-qw9c-fmvq #1670 EFFECTIVELY_PRIVATE
Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: GHSA-c8xw-vjgf-94hr #2018 EFFECTIVELY_PRIVATE
Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2023-40029 #2049 NOT_IMPORTABLE
Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2023-40584 #2050 EFFECTIVELY_PRIVATE
Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2024-22424 #2470 EFFECTIVELY_PRIVATE
Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/v2: GHSA-g623-jcgg-mhmm #2643
Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/v2: GHSA-jwv5-8mqv-g387 #2646

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/argoproj/argo-cd
      vulnerable_at: 1.8.6
      packages:
        - package: argo-cd
cves:
    - CVE-2024-31990
references:
    - advisory: https://github.com/argoproj/argo-cd/security/advisories/GHSA-2gvw-w6fj-7m3c
    - fix: https://github.com/argoproj/argo-cd/commit/c514105af739eebedb9dbe89d8a6dd8dfc30bb2c
    - fix: https://github.com/argoproj/argo-cd/commit/c5a252c4cc260e240e2074794aedb861d07e9ca5
    - fix: https://github.com/argoproj/argo-cd/commit/e0ff56d89fbd7d066e9c862b30337f6520f13f17

The text was updated successfully, but these errors were encountered:

gopherbot · 2024-04-30T15:57:56Z

Change https://go.dev/cl/582535 mentions this issue: data/reports: batch add unreviewed reports

gopherbot · 2024-05-17T20:42:32Z

Change https://go.dev/cl/586484 mentions this issue: data/reports: add 73 unreviewed reports

gopherbot · 2024-06-03T19:20:36Z

Change https://go.dev/cl/590039 mentions this issue: data/reports: add 51 reports

gopherbot · 2024-08-16T21:17:01Z

Change https://go.dev/cl/606359 mentions this issue: data/reports: regenerate 50 reports

- data/reports/GO-2024-2642.yaml - data/reports/GO-2024-2644.yaml - data/reports/GO-2024-2645.yaml - data/reports/GO-2024-2664.yaml - data/reports/GO-2024-2665.yaml - data/reports/GO-2024-2675.yaml - data/reports/GO-2024-2684.yaml - data/reports/GO-2024-2690.yaml - data/reports/GO-2024-2697.yaml - data/reports/GO-2024-2704.yaml - data/reports/GO-2024-2707.yaml - data/reports/GO-2024-2718.yaml - data/reports/GO-2024-2719.yaml - data/reports/GO-2024-2728.yaml - data/reports/GO-2024-2741.yaml - data/reports/GO-2024-2752.yaml - data/reports/GO-2024-2757.yaml - data/reports/GO-2024-2769.yaml - data/reports/GO-2024-2792.yaml - data/reports/GO-2024-2801.yaml - data/reports/GO-2024-2815.yaml - data/reports/GO-2024-2843.yaml - data/reports/GO-2024-2844.yaml - data/reports/GO-2024-2847.yaml - data/reports/GO-2024-2848.yaml - data/reports/GO-2024-2851.yaml - data/reports/GO-2024-2852.yaml - data/reports/GO-2024-2854.yaml - data/reports/GO-2024-2855.yaml - data/reports/GO-2024-2856.yaml - data/reports/GO-2024-2857.yaml - data/reports/GO-2024-2858.yaml - data/reports/GO-2024-2866.yaml - data/reports/GO-2024-2867.yaml - data/reports/GO-2024-2877.yaml - data/reports/GO-2024-2886.yaml - data/reports/GO-2024-2891.yaml - data/reports/GO-2024-2898.yaml - data/reports/GO-2024-2901.yaml - data/reports/GO-2024-2902.yaml - data/reports/GO-2024-2905.yaml - data/reports/GO-2024-2911.yaml - data/reports/GO-2024-2917.yaml - data/reports/GO-2024-2919.yaml - data/reports/GO-2024-2922.yaml - data/reports/GO-2024-2939.yaml - data/reports/GO-2024-2941.yaml - data/reports/GO-2024-2972.yaml - data/reports/GO-2024-2981.yaml - data/reports/GO-2024-2987.yaml Updates #2642 Updates #2644 Updates #2645 Updates #2664 Updates #2665 Updates #2675 Updates #2684 Updates #2690 Updates #2697 Updates #2704 Updates #2707 Updates #2718 Updates #2719 Updates #2728 Updates #2741 Updates #2752 Updates #2757 Updates #2769 Updates #2792 Updates #2801 Updates #2815 Updates #2843 Updates #2844 Updates #2847 Updates #2848 Updates #2851 Updates #2852 Updates #2854 Updates #2855 Updates #2856 Updates #2857 Updates #2858 Updates #2866 Updates #2867 Updates #2877 Updates #2886 Updates #2891 Updates #2898 Updates #2901 Updates #2902 Updates #2905 Updates #2911 Updates #2917 Updates #2919 Updates #2922 Updates #2939 Updates #2941 Updates #2972 Updates #2981 Updates #2987 Change-Id: I2dff127628eabc7c25afa4020c15a4d35a46a2c4 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606359 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Damien Neil <dneil@google.com>

jba self-assigned this Apr 19, 2024

tatianab added the triaged label May 23, 2024

gopherbot closed this as completed in 96f0f48 Jun 4, 2024

GoVulnBot mentioned this issue Jul 24, 2024

x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2024-41666 #3006

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2024-31990 #2728

x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2024-31990 #2728

GoVulnBot commented Apr 15, 2024

gopherbot commented Apr 30, 2024

gopherbot commented May 17, 2024

gopherbot commented Jun 3, 2024

gopherbot commented Aug 16, 2024

x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2024-31990 #2728

x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2024-31990 #2728

Comments

GoVulnBot commented Apr 15, 2024

gopherbot commented Apr 30, 2024

gopherbot commented May 17, 2024

gopherbot commented Jun 3, 2024

gopherbot commented Aug 16, 2024