Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting from version 2.6.0 have a bug where open web terminal sessions do not expire. This bug allows users to send any websocket messages even if the token has already expired. The most straightforward scenario is when a user opens the terminal view and leaves it open for an extended period. This allows the user to view sensitive information even when they should have been logged out already. A patch for this vulnerability has been released in the following Argo CD versions: 2.6.14, 2.7.12 and 2.8.1.
Metrics
Affected Vendors & Products
References
History
Tue, 01 Oct 2024 16:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Wed, 07 Aug 2024 16:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Argoproj
Argoproj argo Cd |
|
CPEs | cpe:2.3:a:linuxfoundation:argo-cd:2.7.11:*:*:*:*:*:*:* cpe:2.3:a:linuxfoundation:argo-cd:2.8.0:*:*:*:*:*:*:* |
cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:* cpe:2.3:a:argoproj:argo_cd:2.7.11:*:*:*:*:*:*:* cpe:2.3:a:argoproj:argo_cd:2.8.0:*:*:*:*:*:*:* |
Vendors & Products |
Linuxfoundation
Linuxfoundation argo-cd |
Argoproj
Argoproj argo Cd |
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2023-08-23T19:12:04.016Z
Updated: 2024-10-01T15:52:16.513Z
Reserved: 2023-08-08T13:46:25.243Z
Link: CVE-2023-40025
Vulnrichment
Updated: 2024-08-02T18:24:54.647Z
NVD
Status : Modified
Published: 2023-08-23T20:15:08.840
Modified: 2024-11-21T08:18:32.910
Link: CVE-2023-40025
Redhat