x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2023-40025

[GoVulnBot]

CVE-2023-40025 references github.com/argoproj/argo-cd, which may be a Go module.

Description:
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting from version 2.6.0 have a bug where open web terminal sessions do not expire. This bug allows users to send any websocket messages even if the token has already expired. The most straightforward scenario is when a user opens the terminal view and leaves it open for an extended period. This allows the user to view sensitive information even when they should have been logged out already. A patch for this vulnerability has been released in the following Argo CD versions: 2.6.14, 2.7.12 and 2.8.1.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-40025
• JSON: https://github.com/CVEProject/cvelist/tree/b71bc780547e871080e74795a7a5cf86f23f14d6/2023/40xxx/CVE-2023-40025.json
• advisory: GHSA-c8xw-vjgf-94hr
• fix: argoproj/argo-cd@e047efa
• Imported by: https://pkg.go.dev/github.com/argoproj/argo-cd?tab=importedby

Cross references:

• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24348 #304 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24730 #357 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24731 #358 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24768 #359 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: GHSA-6w87-g839-9wv7 #387 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24904 #453 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24905 #454 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-29165 #455 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31016 #495 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31034 #497 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31035 #498 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31036 #499 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-1025 #516 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31102 #517 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31105 #518 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/util/session: GHSA-vj54-cjrx-x696 #882 NOT_IMPORTABLE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/util/cache: GHSA-xcqr-9h24-vrgw #892 NOT_IMPORTABLE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: GHSA-6p4m-hw2h-6gmw #1512 NOT_IMPORTABLE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: GHSA-q9hr-j4rf-8fjc #1520 NOT_IMPORTABLE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2023-23947 #1577 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/v2: GHSA-2q5c-qw9c-fmvq #1670 EFFECTIVELY_PRIVATE

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/argoproj/argo-cd
      vulnerable_at: 1.8.6
      packages:
        - package: argo-cd
description: |-
    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All
    versions of Argo CD starting from version 2.6.0 have a bug where open web
    terminal sessions do not expire. This bug allows users to send any websocket
    messages even if the token has already expired. The most straightforward
    scenario is when a user opens the terminal view and leaves it open for an
    extended period. This allows the user to view sensitive information even when
    they should have been logged out already. A patch for this vulnerability has
    been released in the following Argo CD versions: 2.6.14, 2.7.12 and 2.8.1.
cves:
    - CVE-2023-40025
references:
    - advisory: https://github.com/argoproj/argo-cd/security/advisories/GHSA-c8xw-vjgf-94hr
    - fix: https://github.com/argoproj/argo-cd/commit/e047efa8f9518c54d00d2e4493b64bc4dba98478

[maceonthompson]

Duplicate of #2018.