Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2023-40025 #2019

Closed
GoVulnBot opened this issue Aug 23, 2023 · 1 comment
Closed
Assignees

Comments

@GoVulnBot
Copy link

CVE-2023-40025 references github.com/argoproj/argo-cd, which may be a Go module.

Description:
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting from version 2.6.0 have a bug where open web terminal sessions do not expire. This bug allows users to send any websocket messages even if the token has already expired. The most straightforward scenario is when a user opens the terminal view and leaves it open for an extended period. This allows the user to view sensitive information even when they should have been logged out already. A patch for this vulnerability has been released in the following Argo CD versions: 2.6.14, 2.7.12 and 2.8.1.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/argoproj/argo-cd
      vulnerable_at: 1.8.6
      packages:
        - package: argo-cd
description: |-
    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All
    versions of Argo CD starting from version 2.6.0 have a bug where open web
    terminal sessions do not expire. This bug allows users to send any websocket
    messages even if the token has already expired. The most straightforward
    scenario is when a user opens the terminal view and leaves it open for an
    extended period. This allows the user to view sensitive information even when
    they should have been logged out already. A patch for this vulnerability has
    been released in the following Argo CD versions: 2.6.14, 2.7.12 and 2.8.1.
cves:
    - CVE-2023-40025
references:
    - advisory: https://github.com/argoproj/argo-cd/security/advisories/GHSA-c8xw-vjgf-94hr
    - fix: https://github.com/argoproj/argo-cd/commit/e047efa8f9518c54d00d2e4493b64bc4dba98478

@maceonthompson maceonthompson self-assigned this Aug 24, 2023
@maceonthompson maceonthompson added excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. duplicate and removed excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. labels Aug 24, 2023
@maceonthompson
Copy link

Duplicate of #2018.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants