Kargo Authorization Bypass Vulnerability in REST API Promotion Endpoints

An authorization bypass vulnerability has been identified in Kargo versions 1.9.0 to 1.9.2. Kargo's authorization model includes a 'promote' verb, which is essential for managing the promotion of 'Freight' through various stages. This verb is properly enforced in Kargo's legacy gRPC API. However, in the newer REST API, three endpoints fail to enforce this authorization check, relying solely on standard Kubernetes RBAC. As a result, users with certain permissions can bypass the intended authorization and manipulate the promotion process. The affected endpoints are '/v1beta1/projects/{project}/freight/{freight}/approve', '/v1beta1/projects/{project}/stages/{stage}/promotions', and '/v1beta1/projects/{project}/stages/{stage}/promotions/downstream'.

Impact

Exploitation of this vulnerability allows users to bypass the 'promote' authorization check, enabling them to approve 'Freight' for promotion or to promote 'Freight' to specific stages or downstream stages, depending on the endpoint used. This could lead to incorrect revisions of artifacts being deployed in systems like Argo CD, which could disrupt operations.

Reproduction

To reproduce this vulnerability, authenticate to the Kargo API and use an account that has 'patch' permission on 'Freight' status and/or 'create' permission on 'Promotion' resources, but does not have 'promote' permission. Then, send a request to one of the affected REST API endpoints that requires 'promote' authorization. The request will be processed successfully, bypassing the intended authorization check.

Remediation

Users can upgrade to Kargo version 1.9.3, where this vulnerability has been fixed.