Login Sign Up

CVE-2024-31989

9.0 CRITICAL

📋 TL;DR

This vulnerability allows unprivileged pods in different Kubernetes namespaces to connect to Argo CD's Redis server on port 6379, potentially leading to privilege escalation to cluster controller level or information leakage. It affects Argo CD users who haven't manually enabled network policies in their EKS clusters, even with the latest VPC CNI plugin installed.

💻 Affected Systems

Products:
  • Argo CD
Versions: All versions before 2.8.19, 2.9.15, and 2.10.10
Operating Systems: Any OS running Argo CD on Kubernetes
Default Config Vulnerable: ⚠️ Yes
Notes: Affects EKS clusters where VPC CNI plugin is installed but network policies aren't manually enabled. Other Kubernetes distributions may also be vulnerable if similar network policy configurations exist.

📦 What is this software?

Argo Cd by Argoproj

View all CVEs affecting Argo Cd →

Argo Cd by Argoproj

View all CVEs affecting Argo Cd →

Argo Cd by Argoproj

View all CVEs affecting Argo Cd →

Argo Cd by Argoproj

View all CVEs affecting Argo Cd →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker gains cluster controller privileges, enabling full control over the Kubernetes cluster and all workloads.

🟠

Likely Case

Information leakage from Redis containing sensitive configuration data, potentially exposing credentials and deployment secrets.

🟢

If Mitigated

With proper network policies enabled, the risk is limited to authorized pods only, preventing cross-namespace access.

🌐 Internet-Facing: LOW - This requires access to the Kubernetes cluster network, not directly internet-facing.
🏢 Internal Only: HIGH - Any compromised pod within the cluster could exploit this vulnerability to access Redis.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires access to a pod within the cluster but doesn't require authentication to Redis. The attack involves simple network connections to port 6379.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.8.19, 2.9.15, or 2.10.10

Vendor Advisory: https://github.com/argoproj/argo-cd/security/advisories

Restart Required: Yes

Instructions:

1. Identify your Argo CD version. 2. Upgrade to 2.8.19, 2.9.15, or 2.10.10 based on your current major version. 3. Restart Argo CD components. 4. Verify network policies are properly configured in your EKS cluster.

🔧 Temporary Workarounds

Enable Network Policies in EKS

linux

Manually enable network policies in EKS cluster to restrict pod-to-pod communication

eksctl utils enable-network-policy --cluster=<cluster-name> --region=<region>

Configure NetworkPolicy for Redis

all

Create Kubernetes NetworkPolicy to restrict access to Redis port 6379

kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: redis-access
  namespace: argocd
spec:
  podSelector:
    matchLabels:
      app: redis
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: argocd-server
    ports:
    - protocol: TCP
      port: 6379
EOF

🧯 If You Can't Patch

  • Implement strict network policies to isolate Redis from other namespaces
  • Monitor network traffic to Redis port 6379 for unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Check if pods in other namespaces can connect to Redis: kubectl run test-pod --image=alpine --rm -it --restart=Never -- sh -c 'nc -zv argocd-redis.argocd.svc.cluster.local 6379'

Check Version:

kubectl get deployment -n argocd argocd-server -o jsonpath='{.spec.template.spec.containers[0].image}' | grep -o 'v[0-9.]*'

Verify Fix Applied:

After patching, verify the same test fails and network policies are properly configured

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized connection attempts to Redis in Argo CD logs
  • Redis authentication failures from unexpected sources

Network Indicators:

  • Network connections to port 6379 from pods outside the Argo CD namespace
  • Unusual Redis command patterns from unauthorized sources

SIEM Query:

source="kube-audit" AND verb="connect" AND objectRef.resource="pods" AND objectRef.subresource="portforward" AND responseStatus.code=200 AND requestURI LIKE "%6379%"

📊 Metadata

CVE ID: CVE-2024-31989
CVSS v3 Score: 9.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-327
Published: May 21, 2024
Last Updated: January 9, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-31989, you might also want to check these:

CVE-2024-51478 9.9

This vulnerability in YesWiki allows attackers to recover password reset keys due to weak cryptograp...

Same vulnerability type (CWE-327)
CVE-2021-22738 9.8

This vulnerability in Schneider Electric homeLYnk and spaceLYnk systems allows attackers to brute-fo...

Same vulnerability type (CWE-327)
CVE-2025-69929 9.8

This vulnerability in N3uron Web User Interface v1.21.7-240207.1047 allows remote attackers to escal...

Same vulnerability type (CWE-327)