VYPR
High severityNVD Advisory· Published Aug 23, 2023· Updated Oct 1, 2024

Argo CD web terminal session doesn't expire

CVE-2023-40025

Description

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting from version 2.6.0 have a bug where open web terminal sessions do not expire. This bug allows users to send any websocket messages even if the token has already expired. The most straightforward scenario is when a user opens the terminal view and leaves it open for an extended period. This allows the user to view sensitive information even when they should have been logged out already. A patch for this vulnerability has been released in the following Argo CD versions: 2.6.14, 2.7.12 and 2.8.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/argoproj/argo-cd/v2Go
>= 2.6.0, < 2.6.142.6.14
github.com/argoproj/argo-cd/v2Go
>= 2.7.0, < 2.7.122.7.12
github.com/argoproj/argo-cd/v2Go
>= 2.8.0, < 2.8.12.8.1
github.com/argoproj/argo-cd/v2Go
>= 2.0.0-20230718200744-12a5a7a70d6e, < 2.0.0-20230821201509-e047efa8f9512.0.0-20230821201509-e047efa8f951

Affected products

2

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.