You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description:
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting from version 2.6.0 have a bug where open web terminal sessions do not expire. This bug allows users to send any websocket messages even if the token has already expired. The most straightforward scenario is when a user opens the terminal view and leaves it open for an extended period. This allows the user to view sensitive information even when they should have been logged out already. A patch for this vulnerability has been released in the following Argo CD versions: 2.6.14, 2.7.12 and 2.8.1.
See doc/triage.md for instructions on how to triage this report.
modules:
- module: github.com/argoproj/argo-cd
vulnerable_at: 1.8.6
packages:
- package: argo-cd
description: |-
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All
versions of Argo CD starting from version 2.6.0 have a bug where open web
terminal sessions do not expire. This bug allows users to send any websocket
messages even if the token has already expired. The most straightforward
scenario is when a user opens the terminal view and leaves it open for an
extended period. This allows the user to view sensitive information even when
they should have been logged out already. A patch for this vulnerability has
been released in the following Argo CD versions: 2.6.14, 2.7.12 and 2.8.1.
cves:
- CVE-2023-40025
references:
- advisory: https://github.com/argoproj/argo-cd/security/advisories/GHSA-c8xw-vjgf-94hr
- fix: https://github.com/argoproj/argo-cd/commit/e047efa8f9518c54d00d2e4493b64bc4dba98478
The text was updated successfully, but these errors were encountered:
CVE-2023-40025 references github.com/argoproj/argo-cd, which may be a Go module.
Description:
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting from version 2.6.0 have a bug where open web terminal sessions do not expire. This bug allows users to send any websocket messages even if the token has already expired. The most straightforward scenario is when a user opens the terminal view and leaves it open for an extended period. This allows the user to view sensitive information even when they should have been logged out already. A patch for this vulnerability has been released in the following Argo CD versions: 2.6.14, 2.7.12 and 2.8.1.
References:
Cross references:
See doc/triage.md for instructions on how to triage this report.
The text was updated successfully, but these errors were encountered: