SCA: security update for github.com/argoproj/argo-cd (GHSA-c8xw-vjgf-94hr)

high Tenable Self-Hosted Container Security Plugin ID 413786

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting
from version 2.6.0 have a bug where open web terminal sessions do not expire. This bug allows users to
send any websocket messages even if the token has already expired. The most straightforward scenario is
when a user opens the terminal view and leaves it open for an extended period. This allows the user to
view sensitive information even when they should have been logged out already. A patch for this
vulnerability has been released in the following Argo CD versions: 2.6.14, 2.7.12 and 2.8.1.
(CVE-2023-40025)

See Also

https://github.com/advisories/GHSA-c8xw-vjgf-94hr

Plugin Details

Severity: High

ID: 413786

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.5

Percentile: 51.91

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:P/A:N

CVSS Score Source: CVE-2023-40025

CVSS v3

Risk Factor: High

Base Score: 7.1

Temporal Score: 6.4

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/23/2023

Vulnerability Publication Date: 8/23/2023

Reference Information

CVE: CVE-2023-40025

cwe: CWE-613