Cyber Resilience

CVE-2024-13484

High

Published: 28 January 2025

Published
28 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0020 9.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2024-13484 is a high-severity Exposure of Resource to Wrong Sphere (CWE-668) vulnerability. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Disable or Modify Tools (T1685); ranked at the 9.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-5 (Access Restrictions for Change).

Deeper analysis

CVE-2024-13484 is a vulnerability in the openshift-gitops-operator-container, associated with CWE-668. The flaw occurs because the openshift.io/cluster-monitoring label is automatically applied to all namespaces that deploy an ArgoCD Custom Resource (CR) instance. This labeling enables those namespaces to create a rogue PrometheusRule, which is then rolled out cluster-wide due to the label, resulting in adverse effects on the platform monitoring stack.

The vulnerability has a CVSS v3.1 base score of 8.2 (AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). Exploitation requires local access and high privileges within the affected OpenShift environment. A privileged attacker can deploy an ArgoCD CR instance in a namespace, trigger the application of the cluster-monitoring label, and create a malicious PrometheusRule that propagates cluster-wide, potentially compromising confidentiality, integrity, and availability of the monitoring stack with high impact.

Red Hat has issued multiple errata addressing this issue, including RHSA-2025:7753, RHSA-2025:8274, and RHSA-2025:9506. Further details on the vulnerability and mitigation steps are available in the Red Hat CVE page at https://access.redhat.com/security/cve/CVE-2024-13484 and the Bugzilla tracker at https://bugzilla.redhat.com/show_bug.cgi?id=2269376.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A flaw was found in openshift-gitops-operator-container. The openshift.io/cluster-monitoring label is applied to all namespaces that deploy an ArgoCD CR instance, allowing the namespace to create a rogue PrometheusRule. This issue can have adverse effects on the platform monitoring stack, as…

more

the rule is rolled out cluster-wide when the label is applied.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1685 Disable or Modify Tools Defense Impairment
Adversaries may disable, degrade, or tamper with security tools or applications (e.
Why these techniques?

Vulnerability enables cluster-wide manipulation of PrometheusRules via misapplied monitoring label, directly facilitating impairment of the platform monitoring stack (defenses).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-25176Shared CWE-668
CVE-2026-44009Shared CWE-668
CVE-2026-34765Shared CWE-668
CVE-2026-39911Shared CWE-668
CVE-2026-28779Shared CWE-668
CVE-2026-30912Shared CWE-668
CVE-2022-49509Shared CWE-668
CVE-2026-33573Shared CWE-668
CVE-2026-20160Shared CWE-668
CVE-2026-45411Shared CWE-668

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of the flaw in openshift-gitops-operator-container that automatically applies the openshift.io/cluster-monitoring label to namespaces.

prevent

Restricts access to configuration management functions, preventing unauthorized deployment of ArgoCD CR instances that trigger the vulnerable automatic labeling.

prevent

Enforces least privilege to ensure only authorized high-privilege roles can deploy ArgoCD CRs, limiting exploitation opportunities in unauthorized namespaces.

References