Insufficient Session Expiration Affecting github.com/argoproj/argo-cd/v2/server package, versions >=2.6.0 <2.6.14 >=2.7.0 <2.7.12 >=2.8.0 <2.8.1
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMARGOPROJARGOCDV2SERVER-5856818
- published 24 Aug 2023
- disclosed 23 Aug 2023
- credit zhlu32
Introduced: 23 Aug 2023
CVE-2023-40025 Open this link in a new tabHow to fix?
Upgrade github.com/argoproj/argo-cd/v2/server to version 2.6.14, 2.7.12, 2.8.1 or higher.
Overview
Affected versions of this package are vulnerable to Insufficient Session Expiration. An attacker can continue to send websocket messages and access sensitive information even after their session token has expired through the 'web terminal' component. This is possible when a user leaves a terminal view open for an extended period, bypassing session expiration and facilitating unauthorized access.
Note:
This vulnerability is only exploitable if users have the ability to keep a web terminal session active for extended periods after their session tokens have lapsed.