The Argo CD web terminal session does not handle the revocation of user permissions properly.
Description
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD has a Web-based terminal that allows users to get a shell inside a running pod, just as they would with kubectl exec. Starting in version 2.6.0, when the administrator enables this function and grants permission to the user p, role:myrole, exec, create, */*, allow, even if the user revokes this permission, the user can still perform operations in the container, as long as the user keeps the terminal view open for a long time. Although the token expiration and revocation of the user are fixed, however, the fix does not address the situation of revocation of only user p, role:myrole, exec, create, */*, allow permissions, which may still lead to the leakage of sensitive information. A patch for this vulnerability has been released in Argo CD versions 2.11.7, 2.10.16, and 2.9.21.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/argoproj/argo-cd/v2Go | >= 2.6.0, < 2.9.21 | 2.9.21 |
github.com/argoproj/argo-cd/v2Go | >= 2.10.0, < 2.10.16 | 2.10.16 |
github.com/argoproj/argo-cd/v2Go | >= 2.11.0, < 2.11.7 | 2.11.7 |
Affected products
24- osv-coords23 versionspkg:apk/chainguard/argo-cd-2.10pkg:apk/chainguard/argo-cd-2.10-compatpkg:apk/chainguard/argo-cd-2.10-repo-serverpkg:apk/chainguard/argo-cd-2.9pkg:apk/chainguard/argo-cd-2.9-compatpkg:apk/chainguard/argo-cd-2.9-repo-serverpkg:apk/chainguard/argo-cd-fips-2.10pkg:apk/chainguard/argo-cd-fips-2.10-compatpkg:apk/chainguard/argo-cd-fips-2.10-repo-serverpkg:apk/chainguard/argo-cd-fips-2.11pkg:apk/chainguard/argo-cd-fips-2.11-compatpkg:apk/chainguard/argo-cd-fips-2.11-repo-serverpkg:apk/chainguard/argo-cd-fips-2.9pkg:apk/chainguard/argo-cd-fips-2.9-compatpkg:apk/chainguard/argo-cd-fips-2.9-repo-serverpkg:apk/wolfi/argo-cd-2.10pkg:apk/wolfi/argo-cd-2.10-compatpkg:apk/wolfi/argo-cd-2.10-repo-serverpkg:apk/wolfi/argo-cd-2.9pkg:apk/wolfi/argo-cd-2.9-compatpkg:apk/wolfi/argo-cd-2.9-repo-serverpkg:bitnami/argo-cdpkg:golang/github.com/argoproj/argo-cd/v2
< 2.10.16-r0+ 22 more
- (no CPE)range: < 2.10.16-r0
- (no CPE)range: < 2.10.16-r0
- (no CPE)range: < 2.10.16-r0
- (no CPE)range: < 2.9.21-r0
- (no CPE)range: < 2.9.21-r0
- (no CPE)range: < 2.9.21-r0
- (no CPE)range: < 2.10.16-r0
- (no CPE)range: < 2.10.16-r0
- (no CPE)range: < 2.10.16-r0
- (no CPE)range: < 2.11.7-r0
- (no CPE)range: < 2.11.7-r0
- (no CPE)range: < 2.11.7-r0
- (no CPE)range: < 2.9.21-r0
- (no CPE)range: < 2.9.21-r0
- (no CPE)range: < 2.9.21-r0
- (no CPE)range: < 2.10.16-r0
- (no CPE)range: < 2.10.16-r0
- (no CPE)range: < 2.10.16-r0
- (no CPE)range: < 2.9.21-r0
- (no CPE)range: < 2.9.21-r0
- (no CPE)range: < 2.9.21-r0
- (no CPE)range: >= 2.6.0, < 2.11.7
- (no CPE)range: >= 2.6.0, < 2.9.21
Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-v8wx-v5jq-qhhwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-41666ghsaADVISORY
- drive.google.com/file/d/1Fynj5Sho8Lf8CETqsNXZyPKlTDdmgJuN/viewghsax_refsource_MISCWEB
- github.com/argoproj/argo-cd/commit/05edb2a9ca48f0f10608c1b49fbb0cf7164f6476ghsax_refsource_MISCWEB
- github.com/argoproj/argo-cd/commit/e96f32d233504101ddac028a5bf8117433d333d6ghsax_refsource_MISCWEB
- github.com/argoproj/argo-cd/commit/ef535230d8bd8ad7b18aab1ea1063e9751d348c4ghsax_refsource_MISCWEB
- github.com/argoproj/argo-cd/security/advisories/GHSA-v8wx-v5jq-qhhwghsax_refsource_CONFIRMWEB
- pkg.go.dev/vuln/GO-2024-3006ghsaWEB
News mentions
0No linked articles in our index yet.