Uploaded image for project: 'OpenShift GitOps'
  1. OpenShift GitOps
  2. GITOPS-6251

CVE-2024-13484 openshift-gitops-operator-container: Namespace Isolation Break [gitops-1.15]

XMLWordPrintable

    • GitOps Crimson Sprint 3270, GitOps Crimson Sprint 3271, GitOps Crimson Sprint 13
    • Moderate

      Security Tracking Issue

      Do not make this issue public.

      Flaw:

      Namespace Isolation Break
      https://bugzilla.redhat.com/show_bug.cgi?id=2269376

      Currently argocd applies the label openshift.io/cluster-monitoring to all namespaces that deploy a ArgoCD CR instance. This then allows the namespace
      to create a rogue PrometheusRule that can then have adverse effects on the platform monitoring stack. As the label is applied the rule is rolled out
      cluster wide.

      This gives anyone who has argocd instances deployed a way to escalate out of their namespace isolation and affect the entire cluster.

      ~~~

              rh-ee-ansingh Anand Singh
              gsuckevi@redhat.com Guilherme Suckevicz
              Anand Francis Joseph, Jayachandra Prabhakar, William Tam
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: