PT-2023-27219 · Argo Cd · Argo Cd
Zhlu32
·
Published
2023-08-23
·
Updated
2024-08-21
·
CVE-2023-40025
CVSS v3.1
7.1
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Argo CD versions 2.6.0 through 2.6.13
Argo CD versions 2.7.0 through 2.7.11
Argo CD versions 2.8.0
Description
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The issue arises from open web terminal sessions not expiring, allowing users to send any websocket messages even if the token has already expired. This can lead to users viewing sensitive information even after they should have been logged out.
Recommendations
For Argo CD versions 2.6.0 through 2.6.13, update to version 2.6.14.
For Argo CD versions 2.7.0 through 2.7.11, update to version 2.7.12.
For Argo CD version 2.8.0, update to version 2.8.1.
As a temporary workaround, consider disabling the web-based terminal or defining RBAC rules to it.
Exploit
Fix
Insufficient Session Expiration
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Argo Cd