Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2023-40025 #2019

Closed
GoVulnBot opened this issue Aug 23, 2023 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2023-40025 #2019

GoVulnBot opened this issue Aug 23, 2023 · 1 comment
Assignees
@maceonthompson
Labels
duplicate

Comments

@GoVulnBot
Copy link

CVE-2023-40025 references github.com/argoproj/argo-cd, which may be a Go module.

Description:
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting from version 2.6.0 have a bug where open web terminal sessions do not expire. This bug allows users to send any websocket messages even if the token has already expired. The most straightforward scenario is when a user opens the terminal view and leaves it open for an extended period. This allows the user to view sensitive information even when they should have been logged out already. A patch for this vulnerability has been released in the following Argo CD versions: 2.6.14, 2.7.12 and 2.8.1.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/argoproj/argo-cd
      vulnerable_at: 1.8.6
      packages:
        - package: argo-cd
description: |-
    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All
    versions of Argo CD starting from version 2.6.0 have a bug where open web
    terminal sessions do not expire. This bug allows users to send any websocket
    messages even if the token has already expired. The most straightforward
    scenario is when a user opens the terminal view and leaves it open for an
    extended period. This allows the user to view sensitive information even when
    they should have been logged out already. A patch for this vulnerability has
    been released in the following Argo CD versions: 2.6.14, 2.7.12 and 2.8.1.
cves:
    - CVE-2023-40025
references:
    - advisory: https://github.com/argoproj/argo-cd/security/advisories/GHSA-c8xw-vjgf-94hr
    - fix: https://github.com/argoproj/argo-cd/commit/e047efa8f9518c54d00d2e4493b64bc4dba98478
@maceonthompson maceonthompson self-assigned this Aug 24, 2023
@maceonthompson maceonthompson added excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. duplicate and removed excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. labels Aug 24, 2023
@maceonthompson
Copy link

Duplicate of #2018.

This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@maceonthompson maceonthompson

Labels
duplicate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@maceonthompson @GoVulnBot