101 matches found
The vulnerability of the web terminal of the declarative delivery tool for GitOps for Kubernetes Argo CD allows a perpetrator to gain unauthorized access to protected information.
The vulnerability of the web terminal of the GitOps continuous delivery tool for Kubernetes Argo CD is related to deficiencies in access control. Exploiting this vulnerability could allow an attacker, operating remotely, to gain unauthorized access to protected information...
The Argo CD web terminal session does not handle the revocation of user permissions properly
Argo CD v2.11.3 and before, discovering that even if the user's p, role:myrole, exec, create, /, allow permissions are revoked, the user can still send any Websocket message, which allows the user to view sensitive information. Even though they shouldn't have such access. Description Argo CD has ...
GHSA-V8WX-V5JQ-QHHW The Argo CD web terminal session does not handle the revocation of user permissions properly
Argo CD v2.11.3 and before, discovering that even if the user's p, role:myrole, exec, create, /, allow permissions are revoked, the user can still send any Websocket message, which allows the user to view sensitive information. Even though they shouldn't have such access. Description Argo CD has ...
CVE-2024-41666 The Argo CD web terminal session does not handle the revocation of user permissions properly.
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD has a Web-based terminal that allows users to get a shell inside a running pod, just as they would with kubectl exec. Starting in version 2.6.0, when the administrator enables this function and grants permission to...
CVE-2024-41666
Argo CD's Web-based terminal vulnerability allows a user with permissions p, role:myrole, exec, create, / , allow to continue operations in the container even after revoking that permission, as long as the terminal view stays open. The issue can persist beyond token expiration/revocation and is n...
CVE-2024-41666 The Argo CD web terminal session does not handle the revocation of user permissions properly.
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD has a Web-based terminal that allows users to get a shell inside a running pod, just as they would with kubectl exec. Starting in version 2.6.0, when the administrator enables this function and grants permission to...
PT-2024-5332 · Argo Cd · Argo Cd
Name of the Vulnerable Software and Affected Versions: Argo CD versions 2.6.0 through 2.11.6 Argo CD versions 2.7.0 through 2.10.15 Argo CD versions 2.8.0 through 2.9.20 Description: The issue is related to the Argo CD web terminal, which allows users to get a shell inside a running pod. When the...
BIT-GITLAB-2022-1944
When the feature is configured, improper authorization in the Interactive Web Terminal in GitLab CE/EE affecting all versions from 11.3 prior to 14.9.5, 14.10 prior to 14.10.4, and 15.0 prior to 15.0.1 allows users with the Developer role to open terminals on other Developers' running jobs...
CVE-2023-35794
An issue was discovered in Cassia Access Controller 2.1.1.2303271039. The Web SSH terminal endpoint spawned console can be accessed without authentication. Specifically, there is no session cookie validation on the Access Controller; instead, there is only Basic Authentication to the SSH console...
Cassia Networks Access Controller Security Vulnerability
Cassia Networks Access Controller is an application from Cassia Networks, Inc. provides a powerful IoT network management solution. A security vulnerability exists in Cassia Access Controller version 2.1.1.2303271039 that originates from accessing a Web SSH terminal endpoint without authenticatio...
Internet Bug Bounty: Argocd's web terminal session doesn't expire
A vulnerability was discovered in all versions of Argo CD starting from v2.6.0, where open web terminal sessions did not expire. This allowed users to send websocket messages even after their session token had expired, potentially exposing sensitive information. The issue has been patched in...
Insufficient Session Expiration
github.com/argoproj/argo-cd is vulnerable to Insufficient Session Expiration. The vulnerability exists because web terminal sessions in the library do not expire, which allows an attacker to send a websocket messages even if the token has already expired, leading to sensitive information...
CVE-2023-40025
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting from version 2.6.0 have a bug where open web terminal sessions do not expire. This bug allows users to send any websocket messages even if the token has already expired. The most...
Design/Logic Flaw
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting from version 2.6.0 have a bug where open web terminal sessions do not expire. This bug allows users to send any websocket messages even if the token has already expired. The most...
CVE-2023-40025 Argo CD web terminal session doesn't expire
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting from version 2.6.0 have a bug where open web terminal sessions do not expire. This bug allows users to send any websocket messages even if the token has already expired. The most...
CVE-2023-40025
CVE-2023-40025 affects Argo CD where open web terminal sessions do not expire, allowing WebSocket messages after token expiry and potential viewing of sensitive information. Technical details across connected documents confirm the issue is tied to the web terminal feature, with remediation delive...
Argo CD web terminal session doesn't expire
Impact All versions of Argo CD starting from v2.6.0 have a bug where open web terminal sessions do not expire. This bug allows users to send any websocket messages even if the token has already expired. The most straightforward scenario is when a user opens the terminal view and leaves it open fo...
GHSA-C8XW-VJGF-94HR Argo CD web terminal session doesn't expire
Impact All versions of Argo CD starting from v2.6.0 have a bug where open web terminal sessions do not expire. This bug allows users to send any websocket messages even if the token has already expired. The most straightforward scenario is when a user opens the terminal view and leaves it open fo...
PT-2023-27219 · Argo Cd · Argo Cd
Name of the Vulnerable Software and Affected Versions: Argo CD versions 2.6.0 through 2.6.13 Argo CD versions 2.7.0 through 2.7.11 Argo CD versions 2.8.0 Description: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The issue arises from open web terminal sessions not...
Server-Side Request Forgery (SSRF)
gitlab is vulnerable to Server-Side Request Forgery SSRF. The vulnerability exists in web terminal advertiseaddress which allows an attacker to connect to local addresses when configuring a malicious GitLab Runner...