CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
AI Score
Confidence
High
EPSS
Percentile
16.1%
A vulnerability was found in ArgoCD’s web-based terminal. This issue may allow a user to continue sending WebSocket messages and access sensitive information even after their p, role:myrole, exec, create, /, and allow permissions are revoked. The terminal session remains active as long as it is kept open, enabling unauthorized operations within the container, allowing an attacker to maintain the terminal session to gain access and view sensitive data despite revoked permissions.
bugzilla.redhat.com/show_bug.cgi?id=2299725
drive.google.com/file/d/1Fynj5Sho8Lf8CETqsNXZyPKlTDdmgJuN/view?usp=sharing
github.com/argoproj/argo-cd/commit/05edb2a9ca48f0f10608c1b49fbb0cf7164f6476
github.com/argoproj/argo-cd/commit/e96f32d233504101ddac028a5bf8117433d333d6
github.com/argoproj/argo-cd/commit/ef535230d8bd8ad7b18aab1ea1063e9751d348c4
github.com/argoproj/argo-cd/security/advisories/GHSA-v8wx-v5jq-qhhw
nvd.nist.gov/vuln/detail/CVE-2024-41666
www.cve.org/CVERecord?id=CVE-2024-41666