Main Vulnerability Database Vulnerabilities #VU129013

Use of a broken or risky cryptographic algorithm in Argo CD - CVE-2024-31989

Published: May 21, 2024 / Updated: May 2, 2026

Vulnerability identifier: #VU129013

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2024-31989

CWE-ID: CWE-327

Exploitation vector: Adjecent network

Exploit availability: No public exploit available

Vulnerable software:
Argo CD

Software vendor:
Argo

Description

The vulnerability allows a remote user to execute arbitrary deployments and disclose sensitive information.

The vulnerability exists due to use of risky or missing cryptographic algorithms in redis cache entries when processing data read from the redis cache. A remote user can modify the "mfst" or "app|resources-tree" keys to execute arbitrary deployments and disclose sensitive information.

Exploitation requires access to the Redis server on the local network segment, such as from another pod in the same cluster.

Remediation

Install security update from vendor's website.

External links

https://github.com/argoproj/argo-cd/security/advisories/GHSA-9766-5277-j5hr

Use of a broken or risky cryptographic algorithm in Argo CD - CVE-2024-31989

Description

Remediation

External links

Please verify you're human