Kargo Unauthenticated API Access Vulnerability Allowing Configuration Exfiltration and Denial-of-Service

A vulnerability in Kargo's API server was identified, allowing unauthenticated access to the `GetConfig()` and `RefreshResource` API endpoints in Kargo versions prior to 1.8.7, 1.7.7, and 1.6.3. The issue stemmed from improper authentication checks, which allowed users to access the `GetConfig()` endpoint by including a non-empty `Bearer` token in the `Authorization` header, regardless of the token's validity. This exploitation could lead to unauthorized access to configuration data, including endpoints for connected Argo CD clusters, potentially facilitating further attacks by enumerating cluster URLs and namespaces. The `RefreshResource` endpoint, while not disclosing information, could be misused by an unauthenticated attacker to disrupt Kargo's API operations. This endpoint triggers resource reconciliations in Kubernetes, and if exploited continuously, could hinder legitimate requests to the Kubernetes API server.

Impact

Exploitation of this vulnerability allows for unauthorized access to sensitive configuration data through the `GetConfig()` API endpoint. This data could be used to facilitate further attacks on connected Argo CD clusters. Additionally, the `RefreshResource` endpoint could be exploited to disrupt Kargo's API operations and slow down legitimate requests to the Kubernetes API server, creating a denial-of-service effect.

Reproduction

The vulnerability can be reproduced by sending a request to the `GetConfig()` or `RefreshResource` API endpoints with an `Authorization` header that includes a non-empty `Bearer` token. The token does not need to be valid, as the endpoints will accept any non-empty token, bypassing authentication checks. This can be done using tools like curl or Postman, or through a script that sends HTTP requests with the appropriate headers.

Remediation

Users are advised to upgrade to Kargo versions 1.8.7, 1.7.7, or 1.6.3, where this vulnerability has been patched.