Main Vulnerability Database SB2024052149

SB2024052149 - Use of a broken or risky cryptographic algorithm in Argo CD

Published: May 21, 2024 Updated: May 2, 2026

Security Bulletin ID SB2024052149

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Adjecent network

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2024-31989)

The vulnerability allows a remote user to execute arbitrary deployments and disclose sensitive information.

The vulnerability exists due to use of risky or missing cryptographic algorithms in redis cache entries when processing data read from the redis cache. A remote user can modify the "mfst" or "app|resources-tree" keys to execute arbitrary deployments and disclose sensitive information.

Exploitation requires access to the Redis server on the local network segment, such as from another pod in the same cluster.

Remediation

Install update from vendor's website.

References

https://github.com/argoproj/argo-cd/security/advisories/GHSA-9766-5277-j5hr