Argo CD v2.11.3 and before, discovering that even if the user's p, role:myrole, exec, create, */*, allow permissions are revoked, the user can still send any Websocket message, which allows the user to view sensitive information. Even though they shouldn't have such access. Description Argo CD has a Web-based terminal that allows you to get a shell inside a running pod, just like you would with kubectl exec. However, when the administrator enables this function and grants permission to the user p, role:myrole, exec, create, */*, allow, even if the user revokes this permission, the user can still perform operations in the container, as long as the user keeps the terminal view open for a long time. CVE-2023-40025 Although the token expiration and revocation of the user are fixed, however, the fix does not address the situation of revocation of only user p, role:myrole, exec, create, */*, allow permissions, which may still lead to the leakage of sensitive information. Patches A patch for this vulnerability has been released in the following Argo CD versions: v2.11.7 v2.10.16 v2.9.21 For more information If you have any questions or comments about this advisory: Open an issue in the Argo CD issue tracker or discussions Join us on Slack in channel #argo-cd Credits This vulnerability was found & reported by Shengjie Li, Huazhong University of Science and Technology Zhi Li, Huazhong University of Science and Technology Weijie Liu, Nankai University The Argo team would like to…Read More
References
Back to Main