x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2024-41666 #3006

GoVulnBot · 2024-07-24T19:01:16Z

Advisory CVE-2024-41666 references a vulnerability in the following Go modules:

Module
github.com/argoproj/argo-cd

Description:
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD has a Web-based terminal that allows users to get a shell inside a running pod, just as they would with kubectl exec. Starting in version 2.6.0, when the administrator enables this function and grants permission to the user p, role:myrole, exec, create, */*, allow, even if the user revokes this permission, the user can still perform operations in the container, as long as the user keeps the terminal view open for a long time. Although the token expiration and revocation of the user are fixed, however, the fix d...

References:

ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-41666
FIX: argoproj/argo-cd@05edb2a
FIX: argoproj/argo-cd@e96f32d
FIX: argoproj/argo-cd@ef53523
WEB: https://drive.google.com/file/d/1Fynj5Sho8Lf8CETqsNXZyPKlTDdmgJuN/view?usp=sharing
WEB: GHSA-v8wx-v5jq-qhhw

Cross references:

github.com/argoproj/argo-cd appears in 32 other report(s):
- data/excluded/GO-2022-0304.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24348 #304) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0357.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24730 #357) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0358.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24731 #358) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0359.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24768 #359) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0387.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: GHSA-6w87-g839-9wv7 #387) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0453.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24904 #453) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0454.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24905 #454) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0455.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-29165 #455) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0495.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31016 #495) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0497.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31034 #497) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0498.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31035 #498) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0499.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31036 #499) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0516.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-1025 #516) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0517.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31102 #517) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0518.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31105 #518) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0882.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/util/session: GHSA-vj54-cjrx-x696 #882) NOT_IMPORTABLE
- data/excluded/GO-2022-0892.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/util/cache: GHSA-xcqr-9h24-vrgw #892) NOT_IMPORTABLE
- data/excluded/GO-2023-1512.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: GHSA-6p4m-hw2h-6gmw #1512) NOT_IMPORTABLE
- data/excluded/GO-2023-1520.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: GHSA-q9hr-j4rf-8fjc #1520) NOT_IMPORTABLE
- data/excluded/GO-2023-1577.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2023-23947 #1577) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1670.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/v2: GHSA-2q5c-qw9c-fmvq #1670) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-2018.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: GHSA-c8xw-vjgf-94hr #2018) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-2049.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2023-40029 #2049) NOT_IMPORTABLE
- data/excluded/GO-2023-2050.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2023-40584 #2050) EFFECTIVELY_PRIVATE
- data/excluded/GO-2024-2470.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2024-22424 #2470) EFFECTIVELY_PRIVATE
- data/reports/GO-2024-2643.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/v2: GHSA-g623-jcgg-mhmm #2643)
- data/reports/GO-2024-2646.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/v2: GHSA-jwv5-8mqv-g387 #2646)
- data/reports/GO-2024-2728.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2024-31990 #2728)
- data/reports/GO-2024-2792.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2024-32476 #2792)
- data/reports/GO-2024-2877.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2024-31989 #2877)
- data/reports/GO-2024-2898.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2024-36106 #2898)
- data/reports/GO-2024-2902.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2024-37152 #2902)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/argoproj/argo-cd
      vulnerable_at: 1.8.6
summary: CVE-2024-41666 in github.com/argoproj/argo-cd
cves:
    - CVE-2024-41666
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-41666
    - fix: https://github.com/argoproj/argo-cd/commit/05edb2a9ca48f0f10608c1b49fbb0cf7164f6476
    - fix: https://github.com/argoproj/argo-cd/commit/e96f32d233504101ddac028a5bf8117433d333d6
    - fix: https://github.com/argoproj/argo-cd/commit/ef535230d8bd8ad7b18aab1ea1063e9751d348c4
    - web: https://drive.google.com/file/d/1Fynj5Sho8Lf8CETqsNXZyPKlTDdmgJuN/view?usp=sharing
    - web: https://github.com/argoproj/argo-cd/security/advisories/GHSA-v8wx-v5jq-qhhw
source:
    id: CVE-2024-41666
    created: 2024-07-24T19:01:16.009164122Z
review_status: UNREVIEWED

The text was updated successfully, but these errors were encountered:

gopherbot · 2024-08-05T21:15:36Z

Change https://go.dev/cl/603235 mentions this issue: data/reports: add 29 unreviewed reports

ianthehat added the triaged label Jul 25, 2024

gopherbot closed this as completed in 7162f20 Aug 6, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2024-41666 #3006

x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2024-41666 #3006

GoVulnBot commented Jul 24, 2024

gopherbot commented Aug 5, 2024

x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2024-41666 #3006

x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2024-41666 #3006

Comments

GoVulnBot commented Jul 24, 2024

gopherbot commented Aug 5, 2024