A flaw was found in openshift-gitops-operator-container. The openshift.io/cluster-monitoring label is applied to all namespaces that deploy an ArgoCD CR instance, allowing the namespace to create a rogue PrometheusRule. This issue can have adverse effects on the platform monitoring stack, as the rule is rolled out cluster-wide when the label is applied.
Fixes

Solution

No solution given by the vendor.


Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

History

Tue, 24 Jun 2025 06:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift_gitops:1.16::el8
References

Wed, 28 May 2025 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift_gitops:1.14::el8
cpe:/a:redhat:openshift_gitops:1.14::el9
References

Thu, 15 May 2025 23:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift_gitops:1 cpe:/a:redhat:openshift_gitops:1.15::el8
cpe:/a:redhat:openshift_gitops:1.15::el9
References

Wed, 12 Feb 2025 16:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in ArgoCD. The openshift.io/cluster-monitoring label is applied to all namespaces that deploy an ArgoCD CR instance, allowing the namespace to create a rogue PrometheusRule. This issue can have adverse effects on the platform monitoring stack, as the rule is rolled out cluster-wide when the label is applied. A flaw was found in openshift-gitops-operator-container. The openshift.io/cluster-monitoring label is applied to all namespaces that deploy an ArgoCD CR instance, allowing the namespace to create a rogue PrometheusRule. This issue can have adverse effects on the platform monitoring stack, as the rule is rolled out cluster-wide when the label is applied.

Wed, 12 Feb 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 12 Feb 2025 15:45:00 +0000

Type Values Removed Values Added
Title Argocd: namespace isolation break Openshift-gitops-operator-container: namespace isolation break

Wed, 29 Jan 2025 01:30:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Tue, 28 Jan 2025 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-668

Tue, 28 Jan 2025 18:00:00 +0000

Type Values Removed Values Added
Description A flaw was found in ArgoCD. The openshift.io/cluster-monitoring label is applied to all namespaces that deploy an ArgoCD CR instance, allowing the namespace to create a rogue PrometheusRule. This issue can have adverse effects on the platform monitoring stack, as the rule is rolled out cluster-wide when the label is applied.
Title Argocd: namespace isolation break
First Time appeared Redhat
Redhat openshift Gitops
CPEs cpe:/a:redhat:openshift_gitops:1
Vendors & Products Redhat
Redhat openshift Gitops
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2025-08-30T09:22:42.010Z

Reserved: 2025-01-16T19:04:50.460Z

Link: CVE-2024-13484

cve-icon Vulnrichment

Updated: 2025-02-12T16:02:42.943Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-01-28T18:15:32.537

Modified: 2025-06-24T07:15:25.973

Link: CVE-2024-13484

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-01-28T17:43:15Z

Links: CVE-2024-13484 - Bugzilla

cve-icon OpenCVE Enrichment

No data.