CVE-2024-13484 - Vulnerability Details

A flaw was found in openshift-gitops-operator-container. The openshift.io/cluster-monitoring label is applied to all namespaces that deploy an ArgoCD CR instance, allowing the namespace to create a rogue PrometheusRule. This issue can have adverse effects on the platform monitoring stack, as the rule is rolled out cluster-wide when the label is applied.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00045.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Redhat	Openshift Gitops

No data.

Package	CPE	Advisory	Released Date
Red Hat OpenShift GitOps 1.14
openshift-gitops-1/argocd-rhel8:v1.14.4-1	cpe:/a:redhat:openshift_gitops:1.14::el8	RHSA-2025:8274	2025-05-28T00:00:00Z
openshift-gitops-1/argocd-rhel9:v1.14.4-1	cpe:/a:redhat:openshift_gitops:1.14::el8	RHSA-2025:8274	2025-05-28T00:00:00Z
openshift-gitops-1/argo-rollouts-rhel8:v1.14.4-1	cpe:/a:redhat:openshift_gitops:1.14::el8	RHSA-2025:8274	2025-05-28T00:00:00Z
openshift-gitops-1/console-plugin-rhel8:v1.14.4-1	cpe:/a:redhat:openshift_gitops:1.14::el8	RHSA-2025:8274	2025-05-28T00:00:00Z
openshift-gitops-1/dex-rhel8:v1.14.4-1	cpe:/a:redhat:openshift_gitops:1.14::el8	RHSA-2025:8274	2025-05-28T00:00:00Z
openshift-gitops-1/gitops-operator-bundle:v1.14.4-1	cpe:/a:redhat:openshift_gitops:1.14::el8	RHSA-2025:8274	2025-05-28T00:00:00Z
openshift-gitops-1/gitops-rhel8:v1.14.4-1	cpe:/a:redhat:openshift_gitops:1.14::el8	RHSA-2025:8274	2025-05-28T00:00:00Z
openshift-gitops-1/gitops-rhel8-operator:v1.14.4-1	cpe:/a:redhat:openshift_gitops:1.14::el8	RHSA-2025:8274	2025-05-28T00:00:00Z
openshift-gitops-1/kam-delivery-rhel8:v1.14.4-1	cpe:/a:redhat:openshift_gitops:1.14::el8	RHSA-2025:8274	2025-05-28T00:00:00Z
openshift-gitops-1/must-gather-rhel8:v1.14.4-1	cpe:/a:redhat:openshift_gitops:1.14::el8	RHSA-2025:8274	2025-05-28T00:00:00Z
Red Hat OpenShift GitOps 1.15
openshift-gitops-1/argocd-extensions-rhel8:v1.15.2-4	cpe:/a:redhat:openshift_gitops:1.15::el8	RHSA-2025:7753	2025-05-15T00:00:00Z
openshift-gitops-1/argocd-rhel8:v1.15.2-4	cpe:/a:redhat:openshift_gitops:1.15::el8	RHSA-2025:7753	2025-05-15T00:00:00Z
openshift-gitops-1/argocd-rhel9:v1.15.2-1	cpe:/a:redhat:openshift_gitops:1.15::el8	RHSA-2025:7753	2025-05-15T00:00:00Z
openshift-gitops-1/argo-rollouts-rhel8:v1.15.2-4	cpe:/a:redhat:openshift_gitops:1.15::el8	RHSA-2025:7753	2025-05-15T00:00:00Z
openshift-gitops-1/console-plugin-rhel8:v1.15.2-4	cpe:/a:redhat:openshift_gitops:1.15::el8	RHSA-2025:7753	2025-05-15T00:00:00Z
openshift-gitops-1/dex-rhel8:v1.15.2-4	cpe:/a:redhat:openshift_gitops:1.15::el8	RHSA-2025:7753	2025-05-15T00:00:00Z
openshift-gitops-1/gitops-operator-bundle:v1.15.2-4	cpe:/a:redhat:openshift_gitops:1.15::el8	RHSA-2025:7753	2025-05-15T00:00:00Z
openshift-gitops-1/gitops-rhel8:v1.15.2-4	cpe:/a:redhat:openshift_gitops:1.15::el8	RHSA-2025:7753	2025-05-15T00:00:00Z
openshift-gitops-1/gitops-rhel8-operator:v1.15.2-4	cpe:/a:redhat:openshift_gitops:1.15::el8	RHSA-2025:7753	2025-05-15T00:00:00Z
openshift-gitops-1/must-gather-rhel8:v1.15.2-4	cpe:/a:redhat:openshift_gitops:1.15::el8	RHSA-2025:7753	2025-05-15T00:00:00Z
Red Hat OpenShift GitOps 1.16
registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator:sha256:81ea9837bfd653a2e965e7d545afede7d4bee6bf9cc658b7c81aceb6ee097b05	cpe:/a:redhat:openshift_gitops:1.16::el8	RHSA-2025:9506	2025-06-24T00:00:00Z

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

References

Link	Providers
https://access.redhat.com/errata/RHSA-2025:7753
https://access.redhat.com/errata/RHSA-2025:8274
https://access.redhat.com/errata/RHSA-2025:9506
https://access.redhat.com/security/cve/CVE-2024-13484
https://bugzilla.redhat.com/show_bug.cgi?id=2269376
https://nvd.nist.gov/vuln/detail/CVE-2024-13484
https://www.cve.org/CVERecord?id=CVE-2024-13484

History

Tue, 24 Jun 2025 06:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:openshift_gitops:1.16::el8
References		https://access.redhat.com/errata/RHSA-2025:9506

Wed, 28 May 2025 21:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:openshift_gitops:1.14::el8 cpe:/a:redhat:openshift_gitops:1.14::el9
References		https://access.redhat.com/errata/RHSA-2025:8274

Thu, 15 May 2025 23:00:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/a:redhat:openshift_gitops:1~~	cpe:/a:redhat:openshift_gitops:1.15::el8 cpe:/a:redhat:openshift_gitops:1.15::el9
References		https://access.redhat.com/errata/RHSA-2025:7753

Wed, 12 Feb 2025 16:45:00 +0000

Type	Values Removed	Values Added
Description	A flaw was found in ArgoCD. The openshift.io/cluster-monitoring label is applied to all namespaces that deploy an ArgoCD CR instance, allowing the namespace to create a rogue PrometheusRule. This issue can have adverse effects on the platform monitoring stack, as the rule is rolled out cluster-wide when the label is applied.	A flaw was found in openshift-gitops-operator-container. The openshift.io/cluster-monitoring label is applied to all namespaces that deploy an ArgoCD CR instance, allowing the namespace to create a rogue PrometheusRule. This issue can have adverse effects on the platform monitoring stack, as the rule is rolled out cluster-wide when the label is applied.

Wed, 12 Feb 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 12 Feb 2025 15:45:00 +0000

Type	Values Removed	Values Added
Title	Argocd: namespace isolation break	Openshift-gitops-operator-container: namespace isolation break

Wed, 29 Jan 2025 01:30:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2024-13484 https://www.cve.org/CVERecord?id=CVE-2024-13484
Metrics	threat_severity `None`	threat_severity `Moderate`

Tue, 28 Jan 2025 18:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-668

Tue, 28 Jan 2025 18:00:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in ArgoCD. The openshift.io/cluster-monitoring label is applied to all namespaces that deploy an ArgoCD CR instance, allowing the namespace to create a rogue PrometheusRule. This issue can have adverse effects on the platform monitoring stack, as the rule is rolled out cluster-wide when the label is applied.
Title		Argocd: namespace isolation break
First Time appeared		Redhat Redhat openshift Gitops
CPEs		cpe:/a:redhat:openshift_gitops:1
Vendors & Products		Redhat Redhat openshift Gitops
References		https://access.redhat.com/security/cve/CVE-2024-13484 https://bugzilla.redhat.com/show_bug.cgi?id=2269376
Metrics		cvssV3_1 `{'score': 8.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2025-01-28T17:54:28.701Z

Updated: 2025-08-30T09:22:42.010Z

Reserved: 2025-01-16T19:04:50.460Z

Link: CVE-2024-13484

Vulnrichment

Updated: 2025-02-12T16:02:42.943Z

NVD

Status : Awaiting Analysis

Published: 2025-01-28T18:15:32.537

Modified: 2025-06-24T07:15:25.973

Link: CVE-2024-13484

Redhat

Severity : Moderate

Publid Date: 2025-01-28T17:43:15Z

Links: CVE-2024-13484 - Bugzilla

OpenCVE Enrichment

No data.

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object