Home > Vulnerability Database > CVE-2023-40025

Mend.io Vulnerability Database

CVE-2023-40025

Good to know:

Date: August 23, 2023

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting from version 2.6.0 have a bug where open web terminal sessions do not expire. This bug allows users to send any websocket messages even if the token has already expired. The most straightforward scenario is when a user opens the terminal view and leaves it open for an extended period. This allows the user to view sensitive information even when they should have been logged out already. A patch for this vulnerability has been released in the following Argo CD versions: 2.6.14, 2.7.12 and 2.8.1.

Language: Go

Severity Score

4.7

Related Resources (5)

Url: https://github.com/argoproj/argo-cd/commit/e047efa8f9518c54d00d2e4493b64bc4dba98478

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-40025

Url: https://github.com/argoproj/argo-cd

Url: https://github.com/argoproj/argo-cd/security/advisories/GHSA-c8xw-vjgf-94hr

Url: https://www.mend.io/vulnerability-database/CVE-2023-40025

Severity Score

4.7

Weakness Type (CWE)

Insufficient Session Expiration

CWE-613

Top Fix

Upgrade Version

Upgrade to version v2.6.14,v2.7.12,v2.8.1

Learn More

CVSS v3.1

Base Score:	4.7
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2023-40025

Good to know:

Date: August 23, 2023

Language: Go

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?