CVE-2024-41666: The Argo CD web terminal session does not handle the revocation of user permissions properly
(updated )
Argo CD v2.11.3 and before, discovering that even if the user’s p, role:myrole, exec, create, */*, allow permissions are revoked, the user can still send any Websocket message, which allows the user to view sensitive information. Even though they shouldn’t have such access.
References
- drive.google.com/file/d/1Fynj5Sho8Lf8CETqsNXZyPKlTDdmgJuN/view?usp=sharing
- github.com/advisories/GHSA-v8wx-v5jq-qhhw
- github.com/argoproj/argo-cd
- github.com/argoproj/argo-cd/commit/05edb2a9ca48f0f10608c1b49fbb0cf7164f6476
- github.com/argoproj/argo-cd/commit/e96f32d233504101ddac028a5bf8117433d333d6
- github.com/argoproj/argo-cd/commit/ef535230d8bd8ad7b18aab1ea1063e9751d348c4
- github.com/argoproj/argo-cd/security/advisories/GHSA-v8wx-v5jq-qhhw
- nvd.nist.gov/vuln/detail/CVE-2024-41666
- pkg.go.dev/vuln/GO-2024-3006
Detect and mitigate CVE-2024-41666 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →