x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2024-41666

[GoVulnBot]

Advisory CVE-2024-41666 references a vulnerability in the following Go modules:

Module
github.com/argoproj/argo-cd

Description: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD has a Web-based terminal that allows users to get a shell inside a running pod, just as they would with kubectl exec. Starting in version 2.6.0, when the administrator enables this function and grants permission to the user p, role:myrole, exec, create, */*, allow, even if the user revokes this permission, the user can still perform operations in the container, as long as the user keeps the terminal view open for a long time. Although the token expiration and revocation of the user are fixed, however, the fix d...

References:

• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-41666
• FIX: https://github.com/argoproj/argo-cd/commit/05edb2a9ca48f0f10608c1b49fbb0cf7164f6476
• FIX: https://github.com/argoproj/argo-cd/commit/e96f32d233504101ddac028a5bf8117433d333d6
• FIX: https://github.com/argoproj/argo-cd/commit/ef535230d8bd8ad7b18aab1ea1063e9751d348c4
• WEB: https://drive.google.com/file/d/1Fynj5Sho8Lf8CETqsNXZyPKlTDdmgJuN/view?usp=sharing
• WEB: https://github.com/argoproj/argo-cd/security/advisories/GHSA-v8wx-v5jq-qhhw

Cross references:

• github.com/argoproj/argo-cd appears in 32 other report(s):
  • data/excluded/GO-2022-0304.yaml (https://github.com/golang/vulndb/issues/304) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0357.yaml (https://github.com/golang/vulndb/issues/357) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0358.yaml (https://github.com/golang/vulndb/issues/358) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0359.yaml (https://github.com/golang/vulndb/issues/359) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0387.yaml (https://github.com/golang/vulndb/issues/387) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0453.yaml (https://github.com/golang/vulndb/issues/453) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0454.yaml (https://github.com/golang/vulndb/issues/454) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0455.yaml (https://github.com/golang/vulndb/issues/455) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0495.yaml (https://github.com/golang/vulndb/issues/495) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0497.yaml (https://github.com/golang/vulndb/issues/497) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0498.yaml (https://github.com/golang/vulndb/issues/498) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0499.yaml (https://github.com/golang/vulndb/issues/499) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0516.yaml (https://github.com/golang/vulndb/issues/516) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0517.yaml (https://github.com/golang/vulndb/issues/517) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0518.yaml (https://github.com/golang/vulndb/issues/518) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0882.yaml (https://github.com/golang/vulndb/issues/882) NOT_IMPORTABLE
  • data/excluded/GO-2022-0892.yaml (https://github.com/golang/vulndb/issues/892) NOT_IMPORTABLE
  • data/excluded/GO-2023-1512.yaml (https://github.com/golang/vulndb/issues/1512) NOT_IMPORTABLE
  • data/excluded/GO-2023-1520.yaml (https://github.com/golang/vulndb/issues/1520) NOT_IMPORTABLE
  • data/excluded/GO-2023-1577.yaml (https://github.com/golang/vulndb/issues/1577) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1670.yaml (https://github.com/golang/vulndb/issues/1670) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2018.yaml (https://github.com/golang/vulndb/issues/2018) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2049.yaml (https://github.com/golang/vulndb/issues/2049) NOT_IMPORTABLE
  • data/excluded/GO-2023-2050.yaml (https://github.com/golang/vulndb/issues/2050) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2024-2470.yaml (https://github.com/golang/vulndb/issues/2470) EFFECTIVELY_PRIVATE
  • data/reports/GO-2024-2643.yaml (https://github.com/golang/vulndb/issues/2643)
  • data/reports/GO-2024-2646.yaml (https://github.com/golang/vulndb/issues/2646)
  • data/reports/GO-2024-2728.yaml (https://github.com/golang/vulndb/issues/2728)
  • data/reports/GO-2024-2792.yaml (https://github.com/golang/vulndb/issues/2792)
  • data/reports/GO-2024-2877.yaml (https://github.com/golang/vulndb/issues/2877)
  • data/reports/GO-2024-2898.yaml (https://github.com/golang/vulndb/issues/2898)
  • data/reports/GO-2024-2902.yaml (https://github.com/golang/vulndb/issues/2902)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/argoproj/argo-cd
      vulnerable_at: 1.8.6
summary: CVE-2024-41666 in github.com/argoproj/argo-cd
cves:
    - CVE-2024-41666
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-41666
    - fix: https://github.com/argoproj/argo-cd/commit/05edb2a9ca48f0f10608c1b49fbb0cf7164f6476
    - fix: https://github.com/argoproj/argo-cd/commit/e96f32d233504101ddac028a5bf8117433d333d6
    - fix: https://github.com/argoproj/argo-cd/commit/ef535230d8bd8ad7b18aab1ea1063e9751d348c4
    - web: https://drive.google.com/file/d/1Fynj5Sho8Lf8CETqsNXZyPKlTDdmgJuN/view?usp=sharing
    - web: https://github.com/argoproj/argo-cd/security/advisories/GHSA-v8wx-v5jq-qhhw
source:
    id: CVE-2024-41666
    created: 2024-07-24T19:01:16.009164122Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/603235 mentions this issue: data/reports: add 29 unreviewed reports