Login Sign Up

CVE-2024-41666

4.7 MEDIUM

📋 TL;DR

Argo CD's web terminal feature has a privilege persistence vulnerability where users retain container access even after their exec permissions are revoked, as long as they keep the terminal session open. This affects Argo CD administrators who enable the web terminal feature and users with exec permissions. The vulnerability could lead to unauthorized access to sensitive container data.

💻 Affected Systems

Products:
  • Argo CD
Versions: 2.6.0 through 2.11.6, 2.10.15, and 2.9.20
Operating Systems: All platforms running Argo CD
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when web terminal feature is enabled and users have been granted exec permissions via RBAC policies like 'p, role:myrole, exec, create, */*, allow'

📦 What is this software?

Argo Cd by Argoproj

View all CVEs affecting Argo Cd →

Argo Cd by Argoproj

View all CVEs affecting Argo Cd →

Argo Cd by Argoproj

View all CVEs affecting Argo Cd →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with revoked exec permissions maintains persistent access to production containers, potentially exfiltrating sensitive data, modifying configurations, or executing malicious commands.

🟠

Likely Case

Users who have had their exec permissions revoked unintentionally retain access to containers they should no longer have access to, leading to potential data exposure or unauthorized operations.

🟢

If Mitigated

With proper session management and monitoring, the impact is limited to temporary access persistence rather than permanent privilege escalation.

🌐 Internet-Facing: MEDIUM - If Argo CD is exposed to the internet and web terminal is enabled, attackers could exploit this after gaining initial access, but requires authenticated user with exec permissions first.
🏢 Internal Only: HIGH - In internal environments where web terminal is commonly used, this allows privilege persistence that bypasses normal permission revocation workflows.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW - Requires authenticated user with exec permissions that gets revoked while terminal session remains open

Exploitation requires: 1) Web terminal enabled, 2) User had exec permissions, 3) Permissions revoked while terminal session active, 4) User maintains terminal session

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.11.7, 2.10.16, or 2.9.21

Vendor Advisory: https://github.com/argoproj/argo-cd/security/advisories/GHSA-v8wx-v5jq-qhhw

Restart Required: Yes

Instructions:

1. Backup your Argo CD configuration. 2. Upgrade to patched version using your deployment method (helm, kubectl, etc.). 3. Restart Argo CD components. 4. Verify version with 'argocd version' command.

🔧 Temporary Workarounds

Disable Web Terminal Feature

all

Disable the vulnerable web terminal functionality entirely

argocd-cmd-params-cm configmap: set server.webterminal.enabled to false

Implement Session Timeout

all

Configure aggressive session timeouts for web terminal sessions

argocd-cmd-params-cm configmap: set server.session.timeout to lower value (e.g., 3600)

🧯 If You Can't Patch

  • Disable web terminal feature immediately via configuration
  • Implement strict RBAC auditing and force logout all active terminal sessions when permissions change

🔍 How to Verify

Check if Vulnerable:

Check Argo CD version with 'argocd version' and verify if between 2.6.0-2.11.6, 2.10.15, or 2.9.20 AND web terminal is enabled

Check Version:

argocd version | grep -i 'argocd:'

Verify Fix Applied:

Verify version is 2.11.7, 2.10.16, or 2.9.21 with 'argocd version' and test permission revocation while terminal session is active

📡 Detection & Monitoring

Log Indicators:

  • Terminal sessions persisting after permission revocation events
  • Exec commands from users with revoked permissions

Network Indicators:

  • Sustained websocket connections to terminal endpoints after RBAC changes

SIEM Query:

source="argo-cd" AND ("permission revoked" OR "rbac update") AND "terminal session" NOT "session terminated"

📊 Metadata

CVE ID: CVE-2024-41666
CVSS v3 Score: 4.7 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-269
Published: July 24, 2024
Last Updated: January 9, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-41666, you might also want to check these:

CVE-2023-48419 10.0

This vulnerability allows an attacker within Wi-Fi range of a Google Home device to spy on the victi...

Same vulnerability type (CWE-269)
CVE-2025-20282 10.0

This critical vulnerability in Cisco ISE and ISE-PIC allows unauthenticated remote attackers to uplo...

Same vulnerability type (CWE-269)
CVE-2022-24783 10.0

This critical vulnerability in Deno runtime allows malicious code to bypass all permission checks an...

Same vulnerability type (CWE-269)