CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
EPSS
Percentile
30.3%
github.com/argoproj/argo-cd is vulnerable to Insufficient Session Expiration. The vulnerability exists because web terminal sessions in the library do not expire, which allows an attacker to send a websocket messages even if the token has already expired, leading to sensitive information disclosure, or unauthorized actions.
github.com/argoproj/argo-cd/commit/003d6d1da5e02ef475eaa3d89b84f9ff2dac8000
github.com/argoproj/argo-cd/commit/9ffef110da767f6c33d9c01c6fb1692647dd27e4
github.com/argoproj/argo-cd/commit/e047efa8f9518c54d00d2e4493b64bc4dba98478
github.com/argoproj/argo-cd/commit/fbf49f72e7486b264b23d848041e21e8ad64b611
github.com/argoproj/argo-cd/security/advisories/GHSA-c8xw-vjgf-94hr