Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12OHd4LXY1anEtcWhod84AA-HA
The Argo CD web terminal session does not handle the revocation of user permissions properly
Argo CD v2.11.3 and before, discovering that even if the user's p, role:myrole, exec, create, */*, allow
permissions are revoked, the user can still send any Websocket message, which allows the user to view sensitive information. Even though they shouldn't have such access.
Description
Argo CD has a Web-based terminal that allows you to get a shell inside a running pod, just like you would with kubectl exec. However, when the administrator enables this function and grants permission to the user p, role:myrole, exec, create, */*, allow
, even if the user revokes this permission, the user can still perform operations in the container, as long as the user keeps the terminal view open for a long time. CVE-2023-40025 Although the token expiration and revocation of the user are fixed, however, the fix does not address the situation of revocation of only user p, role:myrole, exec, create, */*, allow
permissions, which may still lead to the leakage of sensitive information.
Patches
A patch for this vulnerability has been released in the following Argo CD versions:
v2.11.7
v2.10.16
v2.9.21
For more information
If you have any questions or comments about this advisory:
Open an issue in the Argo CD issue tracker or discussions
Join us on Slack in channel #argo-cd
Credits
This vulnerability was found & reported by
Shengjie Li, Huazhong University of Science and Technology
Zhi Li, Huazhong University of Science and Technology
Weijie Liu, Nankai University
The Argo team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue
Permalink: https://github.com/advisories/GHSA-v8wx-v5jq-qhhwJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12OHd4LXY1anEtcWhod84AA-HA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 6 months ago
Updated: 6 months ago
CVSS Score: 4.7
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
EPSS Percentage: 0.00074
EPSS Percentile: 0.3456
Identifiers: GHSA-v8wx-v5jq-qhhw, CVE-2024-41666
References:
- https://github.com/argoproj/argo-cd/security/advisories/GHSA-v8wx-v5jq-qhhw
- https://nvd.nist.gov/vuln/detail/CVE-2024-41666
- https://github.com/argoproj/argo-cd/commit/05edb2a9ca48f0f10608c1b49fbb0cf7164f6476
- https://github.com/argoproj/argo-cd/commit/e96f32d233504101ddac028a5bf8117433d333d6
- https://github.com/argoproj/argo-cd/commit/ef535230d8bd8ad7b18aab1ea1063e9751d348c4
- https://drive.google.com/file/d/1Fynj5Sho8Lf8CETqsNXZyPKlTDdmgJuN/view?usp=sharing
- https://pkg.go.dev/vuln/GO-2024-3006
- https://github.com/advisories/GHSA-v8wx-v5jq-qhhw
Blast Radius: 10.2
Affected Packages
go:github.com/argoproj/argo-cd/v2
Dependent packages: 154Dependent repositories: 148
Downloads:
Affected Version Ranges: >= 2.11.0, < 2.11.7, >= 2.10.0, < 2.10.16, >= 2.6.0, < 2.9.21
Fixed in: 2.11.7, 2.10.16, 2.9.21
All affected versions: 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.6.8, 2.6.9, 2.6.10, 2.6.11, 2.6.12, 2.6.13, 2.6.14, 2.6.15, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6, 2.7.7, 2.7.8, 2.7.9, 2.7.10, 2.7.11, 2.7.12, 2.7.13, 2.7.14, 2.7.15, 2.7.16, 2.7.17, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.8.6, 2.8.7, 2.8.8, 2.8.9, 2.8.10, 2.8.11, 2.8.12, 2.8.13, 2.8.14, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.9.4, 2.9.5, 2.9.6, 2.9.7, 2.9.8, 2.9.9, 2.9.10, 2.10.0, 2.10.1, 2.10.2, 2.10.3, 2.10.4, 2.10.5
All unaffected versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.1.11, 2.1.12, 2.1.13, 2.1.14, 2.1.15, 2.1.16, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.2.10, 2.2.11, 2.2.12, 2.2.13, 2.2.14, 2.2.15, 2.2.16, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.3.9, 2.3.10, 2.3.11, 2.3.12, 2.3.13, 2.3.14, 2.3.15, 2.3.16, 2.3.17, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8, 2.4.9, 2.4.10, 2.4.11, 2.4.12, 2.4.13, 2.4.14, 2.4.15, 2.4.16, 2.4.17, 2.4.18, 2.4.19, 2.4.20, 2.4.21, 2.4.22, 2.4.23, 2.4.24, 2.4.25, 2.4.26, 2.4.27, 2.4.28, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 2.5.7, 2.5.8, 2.5.9, 2.5.10, 2.5.11, 2.5.12, 2.5.13, 2.5.14, 2.5.15, 2.5.16, 2.5.17, 2.5.18, 2.5.19, 2.5.20, 2.5.21, 2.5.22