Cyber Resilience

CVE-2024-31989

CriticalPublic PoC

Published: 21 May 2024

Published
21 May 2024
Modified
09 January 2025
KEV Added
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.1201 93.9th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-31989 is a critical-severity Use of a Broken or Risky Cryptographic Algorithm (CWE-327) vulnerability in Argoproj Argo Cd. Its CVSS base score is 9.0 (Critical).

Operationally, ranked in the top 6.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Argo CD, a declarative GitOps continuous delivery tool for Kubernetes, is affected by an access-control weakness that allows an unprivileged pod running in a different namespace on the same cluster to reach the Redis instance listening on port 6379. The issue stems from the fact that the Amazon VPC CNI plugin does not enforce network policies by default on EKS clusters, leaving Redis exposed unless the operator explicitly enables the required configuration. The vulnerability is tracked as CVE-2024-31989 with a CVSS score of 9.0 and is associated with CWE-327.

An attacker who can deploy or compromise a pod inside the cluster can therefore connect directly to Redis without authentication. Successful exploitation grants the ability to escalate privileges to the level of the Argo CD cluster controller or to extract sensitive information stored in the Redis instance, affecting any deployment that lacks strict network-level controls around the Redis component.

The project has released patched versions 2.8.19, 2.9.15, and 2.10.10; the referenced commits implement the necessary changes to restrict Redis access. The EPSS score has remained flat at 0.1201 with no material increase since disclosure.

EU & UK References

Vulnerability details

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It has been discovered that an unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379. Despite having installed the…

more

latest version of the VPC CNI plugin on the EKS cluster, it requires manual enablement through configuration to enforce network policies. This raises concerns that many clients might unknowingly have open access to their Redis servers. This vulnerability could lead to Privilege Escalation to the level of cluster controller, or to information leakage, affecting anyone who does not have strict access controls on their Redis instance. This issue has been patched in version(s) 2.8.19, 2.9.15 and 2.10.10.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

argoproj
argo cd
≤ 2.8.19 · 2.9.0 — 2.9.15 · 2.10.0 — 2.10.10

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-327

Contacts with security groups provide timely information on broken or risky cryptographic algorithms, reducing the likelihood of their selection and use.

addresses: CWE-327

Ongoing education and sharing of recommended practices helps organizations identify and migrate away from broken or risky cryptographic algorithms.

addresses: CWE-327

Cross-organization threat feeds commonly include advances in cryptanalysis and active exploits against weak or broken algorithms, allowing organizations to deprecate them proactively.

addresses: CWE-327

Capital planning and funding allow selection and ongoing support of strong cryptographic algorithms rather than weak or broken ones.

addresses: CWE-327

Risk updates surface newly-broken or risky cryptographic algorithms as threat intelligence and computing advances evolve, enabling timely replacement.

addresses: CWE-327

Scanners flag use of broken or weak cryptographic algorithms via known-vulnerability databases.

addresses: CWE-327

Enforces approved cryptographic algorithms for each use case, blocking use of broken or risky algorithms.

addresses: CWE-327

Flaw remediation replaces broken or risky cryptographic algorithms once safer implementations are released by vendors.

References