Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting from version 2.6.0 have a bug where open web terminal sessions do not expire. This bug allows users to send any websocket messages even if the token has already expired. The most straightforward scenario is when a user opens the terminal view and leaves it open for an extended period. This allows the user to view sensitive information even when they should have been logged out already. A patch for this vulnerability has been released in the following Argo CD versions: 2.6.14, 2.7.12 and 2.8.1.
History

Tue, 01 Oct 2024 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 07 Aug 2024 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Argoproj
Argoproj argo Cd
CPEs cpe:2.3:a:linuxfoundation:argo-cd:*:*:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:argo-cd:2.7.11:*:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:argo-cd:2.8.0:*:*:*:*:*:*:*
cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*
cpe:2.3:a:argoproj:argo_cd:2.7.11:*:*:*:*:*:*:*
cpe:2.3:a:argoproj:argo_cd:2.8.0:*:*:*:*:*:*:*
Vendors & Products Linuxfoundation
Linuxfoundation argo-cd
Argoproj
Argoproj argo Cd

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-08-23T19:12:04.016Z

Updated: 2024-10-01T15:52:16.513Z

Reserved: 2023-08-08T13:46:25.243Z

Link: CVE-2023-40025

cve-icon Vulnrichment

Updated: 2024-08-02T18:24:54.647Z

cve-icon NVD

Status : Modified

Published: 2023-08-23T20:15:08.840

Modified: 2024-11-21T08:18:32.910

Link: CVE-2023-40025

cve-icon Redhat

Severity : Moderate

Publid Date: 2023-08-24T00:00:00Z

Links: CVE-2023-40025 - Bugzilla