x/vulndb: potential Go vuln in github.com/argoproj/argo: CVE-2020-8826

[tatianab]

CVE-2020-8826 references github.com/argoproj/argo, which may be a Go module.

Description:
As of v1.5.0, the Argo web interface authentication system issued immutable tokens. Authentication tokens, once issued, were usable forever without expiration—there was no refresh or forced re-authentication.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-8826
• web: https://github.com/argoproj/argo/releases
• web: https://www.soluble.ai/blog/argo-cves-2020
• web: https://argoproj.github.io/argo-cd/security_considerations/
• Imported by: https://pkg.go.dev/github.com/argoproj/argo?tab=importedby

Cross references:

• Module github.com/argoproj/argo appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo: GHSA-h8jc-jmrf-9h8f #843 NOT_IMPORTABLE

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/argoproj/argo
      vulnerable_at: 0.4.7
      packages:
        - package: n/a
cves:
    - CVE-2020-8826
references:
    - web: https://github.com/argoproj/argo/releases
    - web: https://www.soluble.ai/blog/argo-cves-2020
    - web: https://argoproj.github.io/argo-cd/security_considerations/

[gopherbot]

Change https://go.dev/cl/540721 mentions this issue: data/excluded: batch add 135 excluded reports