A flaw was found in openshift-gitops-operator-container. The openshift.io/cluster-monitoring label is applied to all namespaces that deploy an ArgoCD CR instance, allowing the namespace to create a rogue PrometheusRule. This issue can have adverse effects on the platform monitoring stack, as the rule is rolled out cluster-wide when the label is applied.

Metrics

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00055.

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

Vendors Products
Redhat
  • Openshift Gitops

No data.

Package CPE Advisory Released Date
Red Hat OpenShift GitOps 1.14
openshift-gitops-1/argocd-rhel8:v1.14.4-1 cpe:/a:redhat:openshift_gitops:1.14::el8 RHSA-2025:8274 2025-05-28T00:00:00Z
openshift-gitops-1/argocd-rhel9:v1.14.4-1 cpe:/a:redhat:openshift_gitops:1.14::el8 RHSA-2025:8274 2025-05-28T00:00:00Z
openshift-gitops-1/argo-rollouts-rhel8:v1.14.4-1 cpe:/a:redhat:openshift_gitops:1.14::el8 RHSA-2025:8274 2025-05-28T00:00:00Z
openshift-gitops-1/console-plugin-rhel8:v1.14.4-1 cpe:/a:redhat:openshift_gitops:1.14::el8 RHSA-2025:8274 2025-05-28T00:00:00Z
openshift-gitops-1/dex-rhel8:v1.14.4-1 cpe:/a:redhat:openshift_gitops:1.14::el8 RHSA-2025:8274 2025-05-28T00:00:00Z
openshift-gitops-1/gitops-operator-bundle:v1.14.4-1 cpe:/a:redhat:openshift_gitops:1.14::el8 RHSA-2025:8274 2025-05-28T00:00:00Z
openshift-gitops-1/gitops-rhel8:v1.14.4-1 cpe:/a:redhat:openshift_gitops:1.14::el8 RHSA-2025:8274 2025-05-28T00:00:00Z
openshift-gitops-1/gitops-rhel8-operator:v1.14.4-1 cpe:/a:redhat:openshift_gitops:1.14::el8 RHSA-2025:8274 2025-05-28T00:00:00Z
openshift-gitops-1/kam-delivery-rhel8:v1.14.4-1 cpe:/a:redhat:openshift_gitops:1.14::el8 RHSA-2025:8274 2025-05-28T00:00:00Z
openshift-gitops-1/must-gather-rhel8:v1.14.4-1 cpe:/a:redhat:openshift_gitops:1.14::el8 RHSA-2025:8274 2025-05-28T00:00:00Z
Red Hat OpenShift GitOps 1.15
openshift-gitops-1/argocd-extensions-rhel8:v1.15.2-4 cpe:/a:redhat:openshift_gitops:1.15::el8 RHSA-2025:7753 2025-05-15T00:00:00Z
openshift-gitops-1/argocd-rhel8:v1.15.2-4 cpe:/a:redhat:openshift_gitops:1.15::el8 RHSA-2025:7753 2025-05-15T00:00:00Z
openshift-gitops-1/argocd-rhel9:v1.15.2-1 cpe:/a:redhat:openshift_gitops:1.15::el8 RHSA-2025:7753 2025-05-15T00:00:00Z
openshift-gitops-1/argo-rollouts-rhel8:v1.15.2-4 cpe:/a:redhat:openshift_gitops:1.15::el8 RHSA-2025:7753 2025-05-15T00:00:00Z
openshift-gitops-1/console-plugin-rhel8:v1.15.2-4 cpe:/a:redhat:openshift_gitops:1.15::el8 RHSA-2025:7753 2025-05-15T00:00:00Z
openshift-gitops-1/dex-rhel8:v1.15.2-4 cpe:/a:redhat:openshift_gitops:1.15::el8 RHSA-2025:7753 2025-05-15T00:00:00Z
openshift-gitops-1/gitops-operator-bundle:v1.15.2-4 cpe:/a:redhat:openshift_gitops:1.15::el8 RHSA-2025:7753 2025-05-15T00:00:00Z
openshift-gitops-1/gitops-rhel8:v1.15.2-4 cpe:/a:redhat:openshift_gitops:1.15::el8 RHSA-2025:7753 2025-05-15T00:00:00Z
openshift-gitops-1/gitops-rhel8-operator:v1.15.2-4 cpe:/a:redhat:openshift_gitops:1.15::el8 RHSA-2025:7753 2025-05-15T00:00:00Z
openshift-gitops-1/must-gather-rhel8:v1.15.2-4 cpe:/a:redhat:openshift_gitops:1.15::el8 RHSA-2025:7753 2025-05-15T00:00:00Z
Red Hat OpenShift GitOps 1.16
registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator:sha256:81ea9837bfd653a2e965e7d545afede7d4bee6bf9cc658b7c81aceb6ee097b05 cpe:/a:redhat:openshift_gitops:1.16::el8 RHSA-2025:9506 2025-06-24T00:00:00Z

No data.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-0134 A flaw was found in openshift-gitops-operator-container. The openshift.io/cluster-monitoring label is applied to all namespaces that deploy an ArgoCD CR instance, allowing the namespace to create a rogue PrometheusRule. This issue can have adverse effects on the platform monitoring stack, as the rule is rolled out cluster-wide when the label is applied.
Github GHSA Github GHSA GHSA-58fx-7v9q-3g56 OpenShift GitOps Operator Namespace Isolation Break
Fixes

Solution

No solution given by the vendor.

Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

References
Link Providers
https://access.redhat.com/errata/RHSA-2025:7753 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:8274 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:9506 cve-icon cve-icon
https://access.redhat.com/security/cve/CVE-2024-13484 cve-icon cve-icon
https://bugzilla.redhat.com/show_bug.cgi?id=2269376 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2024-13484 cve-icon
https://www.cve.org/CVERecord?id=CVE-2024-13484 cve-icon
History

Tue, 24 Jun 2025 06:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift_gitops:1.16::el8
References

Wed, 28 May 2025 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift_gitops:1.14::el8
cpe:/a:redhat:openshift_gitops:1.14::el9
References

Thu, 15 May 2025 23:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift_gitops:1 cpe:/a:redhat:openshift_gitops:1.15::el8
cpe:/a:redhat:openshift_gitops:1.15::el9
References

Wed, 12 Feb 2025 16:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in ArgoCD. The openshift.io/cluster-monitoring label is applied to all namespaces that deploy an ArgoCD CR instance, allowing the namespace to create a rogue PrometheusRule. This issue can have adverse effects on the platform monitoring stack, as the rule is rolled out cluster-wide when the label is applied. A flaw was found in openshift-gitops-operator-container. The openshift.io/cluster-monitoring label is applied to all namespaces that deploy an ArgoCD CR instance, allowing the namespace to create a rogue PrometheusRule. This issue can have adverse effects on the platform monitoring stack, as the rule is rolled out cluster-wide when the label is applied.

Wed, 12 Feb 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 12 Feb 2025 15:45:00 +0000

Type Values Removed Values Added
Title Argocd: namespace isolation break Openshift-gitops-operator-container: namespace isolation break

Wed, 29 Jan 2025 01:30:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 28 Jan 2025 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-668

Tue, 28 Jan 2025 18:00:00 +0000

Type Values Removed Values Added
Description A flaw was found in ArgoCD. The openshift.io/cluster-monitoring label is applied to all namespaces that deploy an ArgoCD CR instance, allowing the namespace to create a rogue PrometheusRule. This issue can have adverse effects on the platform monitoring stack, as the rule is rolled out cluster-wide when the label is applied.
Title Argocd: namespace isolation break
First Time appeared Redhat
Redhat openshift Gitops
CPEs cpe:/a:redhat:openshift_gitops:1
Vendors & Products Redhat
Redhat openshift Gitops
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2025-10-03T19:09:42.412Z

Reserved: 2025-01-16T19:04:50.460Z

Link: CVE-2024-13484

cve-icon Vulnrichment

Updated: 2025-02-12T16:02:42.943Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-01-28T18:15:32.537

Modified: 2025-06-24T07:15:25.973

Link: CVE-2024-13484

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-01-28T17:43:15Z

Links: CVE-2024-13484 - Bugzilla

cve-icon OpenCVE Enrichment

No data.