PT-2021-17177 · Argo Cd · Argo Cd
Anatoli Krastev
+1
·
Published
2021-02-09
·
Updated
2024-08-07
·
CVE-2021-26921
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions:
Argo CD versions prior to 1.8.4
Description:
The issue arises from the fact that tokens remain active even after the associated user account has been disabled. This is due to a problem in the
util/session/sessionmanager.go file.Recommendations:
For versions prior to 1.8.4, update to version 1.8.4 or later to resolve the issue. As a temporary workaround, consider disabling the
sessionmanager functionality until a patch is available. Restrict access to the sessionmanager module to minimize the risk of exploitation.Fix
Insufficient Session Expiration
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Argo Cd