CVE-2023-40025: Argo CD web terminal session doesn't expire

August 23, 2023

All versions of Argo CD starting from v2.6.0 have a bug where open web terminal sessions do not expire. This bug allows users to send any websocket messages even if the token has already expired. The most straightforward scenario is when a user opens the terminal view and leaves it open for an extended period. This allows the user to view sensitive information even when they should have been logged out already.

References

github.com/advisories/GHSA-c8xw-vjgf-94hr
github.com/argoproj/argo-cd/commit/e047efa8f9518c54d00d2e4493b64bc4dba98478
github.com/argoproj/argo-cd/security/advisories/GHSA-c8xw-vjgf-94hr

Detect and mitigate CVE-2023-40025 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →