7.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-40025

GHSA ID

GHSA-c8xw-vjgf-94hr

EPSS Score

0.37%

CWE

CWE-613

Published

8/23/2023

Updated

11/7/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-40025

CVE-2023-40025: Argo CD web terminal session doesn't expire

Impact

All versions of Argo CD starting from v2.6.0 have a bug where open web terminal sessions do not expire. This bug allows users to send any websocket messages even if the token has already expired. The most straightforward scenario is when a user opens the terminal view and leaves it open for an extended period. This allows the user to view sensitive information even when they should have been logged out already.

Patches

A patch for this vulnerability has been released in the following Argo CD version:

v2.6.14
v2.7.12
v2.8.1

Workarounds

The only way to completely resolve the issue is to upgrade.

Mitigations

Disable web-based terminal or define RBAC rules to it https://argo-cd.readthedocs.io/en/latest/operator-manual/web_based_terminal/

For more information

If you have any questions or comments about this advisory:

Open an issue in the Argo CD issue tracker or discussions
Join us on Slack in channel #argo-cd

Credits

Thank you to bean.zhang (@zhlu32 ) of HIT-IDS ChunkL Team who discovered the issue and reported it confidentially according to our guidelines.

(GitHub Advisory)

7.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-40025

GHSA ID

GHSA-c8xw-vjgf-94hr

EPSS Score

0.37%

CWE

CWE-613

Published

8/23/2023

Updated

11/7/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/argoproj/argo-cd	go	>= 2.6.0, < 2.6.14	2.6.14
github.com/argoproj/argo-cd	go	>= 2.7.0, < 2.7.12	2.7.12
github.com/argoproj/argo-cd	go	= 2.8.0	2.8.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing token validation in websocket message handling. The patch added: 1) SessionManager integration in terminalSession struct 2) Token verification in Read() method 3) Reconnect logic when tokens expire. The original Read() method (vulnerable) lacked the critical 'VerifyToken' check shown in the diff, allowing sessions to persist after token expiration. The newTerminalSession function's pre-patch version didn't pass sessionManager, preventing token validation infrastructure from being available during session initialization.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *ll v*rsions o* *r*o ** st*rtin* *rom v*.*.* **v* * *u* w**r* op*n w** t*rmin*l s*ssions *o not *xpir*. T*is *u* *llows us*rs to s*n* *ny w**so*k*t m*ss***s *v*n i* t** tok*n **s *lr***y *xpir**. T** most str*i**t*orw*r* s**n*rio is w**n *

Reasoning

T** vuln*r**ility st*ms *rom missin* tok*n v*li**tion in w**so*k*t m*ss*** **n*lin*. T** p*t** *****: *) S*ssionM*n***r int**r*tion in t*rmin*lS*ssion stru*t *) Tok*n v*ri*i**tion in R***() m*t*o* *) R**onn**t lo*i* w**n tok*ns *xpir*. T** ori*in*l R

7.1

Basic Information

Concerned about an active attack path?

CVE-2023-40025: Argo CD web terminal session doesn't expire

Impact

Patches

Workarounds

Mitigations

For more information

Credits

7.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI