CVE-2024-31989 | ArgoCD Vulnerable to Use of Risky or Missing Cryptographic Algorithms in Redis Cache

Exp

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It has been discovered that an unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379. Despite having installed the latest version of the VPC CNI plugin on the EKS cluster, it requires manual enablement through configuration to enforce network policies. This raises concerns that many clients might unknowingly have open access to their Redis servers. This vulnerability could lead to Privilege Escalation to the level of cluster controller, or to information leakage, affecting anyone who does not have strict access controls on their Redis instance. This issue has been patched in version(s) 2.8.19, 2.9.15 and 2.10.10.

Published: 2024-05-21 Last update: 2026-06-17 Assigner: [email protected] Source: [email protected]
NVD Status:AnalyzedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2024-31989 is rated High Exploit Risk (70.6/100): CVSS Critical severity, with medium exploitation likelihood (EPSS 1.48%). 1 public exploit reference(s) are indexed (Exploit-DB). Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2024-31989

EDB-ID Source Kind Published Link
nvd_ref exploit_tag Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2024-31989

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 12.01% 1.48% -10.53%
2 2026-06-09 9.09% 12.01% +2.92%
3 2026-03-04 9.09%

Full EPSS history (40 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2024-31989

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
9.0 3.1 CRITICAL
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Click to expand
Attack vector (AV:A)
Attacker has to be nearby on the network—same office, same link, that vibe—not the whole wide internet.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 2.3 6.0 [email protected]
9.0 3.1 CRITICAL
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Click to expand
Attack vector (AV:A)
Attacker has to be nearby on the network—same office, same link, that vibe—not the whole wide internet.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 2.3 6.0 [email protected]

Weakness enumeration for CVE-2024-31989

GitHub Security Advisory for CVE-2024-31989

GHSA-9766-5277-j5hr · Severity: critical · Ecosystem: go — ArgoCD Vulnerable to Use of Risky or Missing Cryptographic Algorithms in Redis Cache

OS Trackers for CVE-2024-31989

vendor priority summary link
redhat high https://access.redhat.com/security/cve/CVE-2024-31989

Affected software / configurations for CVE-2024-31989

Vendor Product Version Raw CPE
argoproj argo_cd < 2.8.19 cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*
argoproj argo_cd >= 2.9.0, < 2.9.15 cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*
argoproj argo_cd >= 2.10.0, < 2.10.10 cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*
argoproj argo_cd >= 2.11.0, < 2.11.1 cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*

References for CVE-2024-31989

URL Tags
https://github.com/argoproj/argo-cd/commit/2de0ceade243039c120c28374016c04ff9590d1d Patch
https://github.com/argoproj/argo-cd/commit/35a7d6c7fa1534aceba763d6a68697f36c12e678 Patch
https://github.com/argoproj/argo-cd/commit/4e2fe302c3352a0012ecbe7f03476b0e07f7fc6c Patch
https://github.com/argoproj/argo-cd/commit/53570cbd143bced49d4376d6e31bd9c7bd2659ff Patch
https://github.com/argoproj/argo-cd/commit/6ef7b62a0f67e74b4aac2aee31c98ae49dd95d12 Patch
https://github.com/argoproj/argo-cd/commit/9552034a80070a93a161bfa330359585f3b85f07 Patch
https://github.com/argoproj/argo-cd/commit/bdd889d43969ba738ddd15e1f674d27964048994 Patch
https://github.com/argoproj/argo-cd/commit/f1a449e83ee73f8f14d441563b6a31b504f8d8b0 Patch
https://github.com/argoproj/argo-cd/security/advisories/GHSA-9766-5277-j5hr Exploit Vendor Advisory
cvelogic Threat Intelligence