PT-2023-27219 · Argo Cd · Argo Cd
Zhlu32
·
Publicado
2023-08-23
·
Atualizado
2024-08-21
·
CVE-2023-40025
CVSS v3.1
4.7
Média
| Vetor | AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
Argo CD versions 2.6.0 through 2.6.13
Argo CD versions 2.7.0 through 2.7.11
Argo CD versions 2.8.0
Description
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The issue arises from open web terminal sessions not expiring, allowing users to send any websocket messages even if the token has already expired. This can lead to users viewing sensitive information even after they should have been logged out.
Recommendations
For Argo CD versions 2.6.0 through 2.6.13, update to version 2.6.14.
For Argo CD versions 2.7.0 through 2.7.11, update to version 2.7.12.
For Argo CD version 2.8.0, update to version 2.8.1.
As a temporary workaround, consider disabling the web-based terminal or defining RBAC rules to it.
Exploit
Correção
Insufficient Session Expiration
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Argo Cd