CVE-2024-41666

Name of the Vulnerable Software and Affected Versions Argo CD versions 2.6.0 through 2.11.6 Argo CD versions 2.7.0 through 2.10.15 Argo CD versions 2.8.0 through 2.9.20

Description The issue is related to the Argo CD web terminal, which allows users to get a shell inside a running pod. When the administrator enables this function and grants permission to the user p, role:myrole, exec, create, */*, allow, even if the user revokes this permission, the user can still perform operations in the container, as long as the user keeps the terminal view open for a long time. This may lead to the leakage of sensitive information. The estimated number of potentially affected devices worldwide is not available.

Recommendations For Argo CD versions 2.6.0 through 2.11.6, update to version 2.11.7 or later. For Argo CD versions 2.7.0 through 2.10.15, update to version 2.10.16 or later. For Argo CD versions 2.8.0 through 2.9.20, update to version 2.9.21 or later. As a temporary workaround, consider disabling the web terminal function until a patch is available. Restrict access to the web terminal to minimize the risk of exploitation.