CVE-2024-13484
Published: 28 January 2025
Summary
CVE-2024-13484 is a high-severity Exposure of Resource to Wrong Sphere (CWE-668) vulnerability. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Disable or Modify Tools (T1685); ranked at the 9.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-5 (Access Restrictions for Change).
Deeper analysis
CVE-2024-13484 is a vulnerability in the openshift-gitops-operator-container, associated with CWE-668. The flaw occurs because the openshift.io/cluster-monitoring label is automatically applied to all namespaces that deploy an ArgoCD Custom Resource (CR) instance. This labeling enables those namespaces to create a rogue PrometheusRule, which is then rolled out cluster-wide due to the label, resulting in adverse effects on the platform monitoring stack.
The vulnerability has a CVSS v3.1 base score of 8.2 (AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). Exploitation requires local access and high privileges within the affected OpenShift environment. A privileged attacker can deploy an ArgoCD CR instance in a namespace, trigger the application of the cluster-monitoring label, and create a malicious PrometheusRule that propagates cluster-wide, potentially compromising confidentiality, integrity, and availability of the monitoring stack with high impact.
Red Hat has issued multiple errata addressing this issue, including RHSA-2025:7753, RHSA-2025:8274, and RHSA-2025:9506. Further details on the vulnerability and mitigation steps are available in the Red Hat CVE page at https://access.redhat.com/security/cve/CVE-2024-13484 and the Bugzilla tracker at https://bugzilla.redhat.com/show_bug.cgi?id=2269376.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-0134
Vulnerability details
A flaw was found in openshift-gitops-operator-container. The openshift.io/cluster-monitoring label is applied to all namespaces that deploy an ArgoCD CR instance, allowing the namespace to create a rogue PrometheusRule. This issue can have adverse effects on the platform monitoring stack, as…
more
the rule is rolled out cluster-wide when the label is applied.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables cluster-wide manipulation of PrometheusRules via misapplied monitoring label, directly facilitating impairment of the platform monitoring stack (defenses).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, and correction of the flaw in openshift-gitops-operator-container that automatically applies the openshift.io/cluster-monitoring label to namespaces.
Restricts access to configuration management functions, preventing unauthorized deployment of ArgoCD CR instances that trigger the vulnerable automatic labeling.
Enforces least privilege to ensure only authorized high-privilege roles can deploy ArgoCD CRs, limiting exploitation opportunities in unauthorized namespaces.