Description
A flaw was found in openshift-gitops-operator-container. The openshift.io/cluster-monitoring label is applied to all namespaces that deploy an ArgoCD CR instance, allowing the namespace to create a rogue PrometheusRule. This issue can have adverse effects on the platform monitoring stack, as the rule is rolled out cluster-wide when the label is applied.
Problem types
Exposure of Resource to Wrong Sphere
Product status
Any version before 1.13
v1.14.4-1 (rpm) before *
v1.14.4-1 (rpm) before *
v1.14.4-1 (rpm) before *
v1.14.4-1 (rpm) before *
v1.14.4-1 (rpm) before *
v1.14.4-1 (rpm) before *
v1.14.4-1 (rpm) before *
v1.14.4-1 (rpm) before *
v1.14.4-1 (rpm) before *
v1.14.4-1 (rpm) before *
v1.15.2-4 (rpm) before *
v1.15.2-4 (rpm) before *
v1.15.2-1 (rpm) before *
v1.15.2-4 (rpm) before *
v1.15.2-4 (rpm) before *
v1.15.2-4 (rpm) before *
v1.15.2-4 (rpm) before *
v1.15.2-4 (rpm) before *
v1.15.2-4 (rpm) before *
v1.15.2-4 (rpm) before *
1.16 (rpm) before *
Timeline
| 2024-03-13: | Reported to Red Hat. |
| 2025-01-28: | Made public. |
References
access.redhat.com/errata/RHSA-2025:7753 (RHSA-2025:7753)
access.redhat.com/errata/RHSA-2025:8274 (RHSA-2025:8274)
access.redhat.com/errata/RHSA-2025:9506 (RHSA-2025:9506)
access.redhat.com/security/cve/CVE-2024-13484
bugzilla.redhat.com/show_bug.cgi?id=2269376 (RHBZ#2269376)
github.com/redhat-developer/gitops-operator/pull/853
github.com/redhat-developer/gitops-operator/pull/867
github.com/redhat-developer/gitops-operator/pull/868
github.com/redhat-developer/gitops-operator/pull/869