← All stories
● Covered by 1 source Β· 1 reportHigh impact

Serious Flaw in Argo CD Repo-Server Allows Remote Code Execution

Aggregated by BrevFeed security Β· updated 20h ago
πŸ”– Save

An unpatched flaw in Argo CD's repo-server allows unauthenticated attackers to execute code, potentially taking over Kubernetes clusters. Synacktiv, which discovered the issue, reports that the vulnerability remains unaddressed nearly 18 months after it was reported.

Key points

Flaw Description

Argo CD, a popular deployment tool for Kubernetes, contains an unpatched vulnerability in its repo-server component. This bug allows unauthenticated attackers to execute arbitrary code if they can access the component's internal network port. The issue was identified by security firm Synacktiv, which warned that it could lead to complete control over a Kubernetes cluster.

Details of the Vulnerability

The vulnerability exists in the internal gRPC service of the repo-server, which lacks authentication. Synacktiv demonstrated this flaw against Argo CD v2.13.3 and reported that no patches have been released. When an attacker sends a specially crafted request to the GenerateManifest service, they can manipulate the kustomize tool to run scripts from a malicious Git repository instead of standard helm commands.

Exploitation Pathway

The Argo CD installation process can leave Kubernetes network policies disabled by default, allowing compromised pods within the cluster to access the repo-server. By exploiting this vulnerability, an attacker can gain access to sensitive cluster data, such as the Redis password, and poison the deployment cache, resulting in the execution of attacker-defined workloads during synchronization.

Ongoing Risks

Further compounding the risk, a related issue (CVE-2024-31989) previously allowed any pod to poison the Redis cache since it lacked a password. While a fix was applied to secure Redis with a password, the cache's lack of signing remains a vulnerability that could be exploited if the Redis password is compromised.

Recommended Mitigation

Given the serious nature of this vulnerability and the absence of a patch, Synacktiv recommends organizations ensure proper network isolation by enabling Kubernetes network policies. This will help protect the repo-server from unauthorized access.

✨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β€” check the original sources. How BrevFeed works β†’

Reporting from

An unpatched flaw in Argo CD's repo-server allows unauthenticated attackers to execute code, potentially taking over Kubernetes clusters. Synacktiv, which discovered the issue, reports that the vulnerability remains unaddressed nearly 18 months after it was reported.