CVE-2024-31989
Published: 21 May 2024
Summary
CVE-2024-31989 is a critical-severity Use of a Broken or Risky Cryptographic Algorithm (CWE-327) vulnerability in Argoproj Argo Cd. Its CVSS base score is 9.0 (Critical).
Operationally, ranked in the top 6.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Argo CD, a declarative GitOps continuous delivery tool for Kubernetes, is affected by an access-control weakness that allows an unprivileged pod running in a different namespace on the same cluster to reach the Redis instance listening on port 6379. The issue stems from the fact that the Amazon VPC CNI plugin does not enforce network policies by default on EKS clusters, leaving Redis exposed unless the operator explicitly enables the required configuration. The vulnerability is tracked as CVE-2024-31989 with a CVSS score of 9.0 and is associated with CWE-327.
An attacker who can deploy or compromise a pod inside the cluster can therefore connect directly to Redis without authentication. Successful exploitation grants the ability to escalate privileges to the level of the Argo CD cluster controller or to extract sensitive information stored in the Redis instance, affecting any deployment that lacks strict network-level controls around the Redis component.
The project has released patched versions 2.8.19, 2.9.15, and 2.10.10; the referenced commits implement the necessary changes to restrict Redis access. The EPSS score has remained flat at 0.1201 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-1545
Vulnerability details
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It has been discovered that an unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379. Despite having installed the…
more
latest version of the VPC CNI plugin on the EKS cluster, it requires manual enablement through configuration to enforce network policies. This raises concerns that many clients might unknowingly have open access to their Redis servers. This vulnerability could lead to Privilege Escalation to the level of cluster controller, or to information leakage, affecting anyone who does not have strict access controls on their Redis instance. This issue has been patched in version(s) 2.8.19, 2.9.15 and 2.10.10.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Contacts with security groups provide timely information on broken or risky cryptographic algorithms, reducing the likelihood of their selection and use.
Ongoing education and sharing of recommended practices helps organizations identify and migrate away from broken or risky cryptographic algorithms.
Cross-organization threat feeds commonly include advances in cryptanalysis and active exploits against weak or broken algorithms, allowing organizations to deprecate them proactively.
Capital planning and funding allow selection and ongoing support of strong cryptographic algorithms rather than weak or broken ones.
Risk updates surface newly-broken or risky cryptographic algorithms as threat intelligence and computing advances evolve, enabling timely replacement.
Scanners flag use of broken or weak cryptographic algorithms via known-vulnerability databases.
Enforces approved cryptographic algorithms for each use case, blocking use of broken or risky algorithms.
Flaw remediation replaces broken or risky cryptographic algorithms once safer implementations are released by vendors.