Kargo Authorization Bypass Vulnerability in Batch Resource Creation API Endpoints
Vulnerability
An authorization bypass vulnerability has been identified in Kargo, a tool for managing and automating software artifact promotion. This vulnerability affects versions 1.7.0 prior to 1.7.8, as well as 1.8.11 and 1.9.3. The issue arises in the batch resource creation endpoints of both Kargo's legacy gRPC API and the newer REST API, which accept multi-document YAML payloads. Exploitation of this vulnerability allows for the injection of arbitrary resources into the namespace of an existing Project, using the API server's permissions. This unintended behavior can be exploited to elevate permissions, potentially leading to remote code execution or unauthorized access to sensitive information. In certain Kargo control plane configurations, the elevated permissions could be used with kubectl to execute further attacks, although the most severe consequences could be achieved without this.
Impact
Exploitation of this vulnerability allows for unauthorized injection of resources into a project's namespace, using elevated permissions to access project secrets, which often include sensitive credentials. This could lead to unauthorized actions in connected systems, such as exfiltrating additional confidential information or manipulating resources in a way that disrupts service availability.
Reproduction
To reproduce this vulnerability, authenticate with the Kargo API and send a multi-document YAML payload to the batch resource creation endpoints of the legacy gRPC API or the newer REST API. The payload should be crafted to exploit the logic of the endpoints, injecting arbitrary resources into the namespace of an existing Project using the API server's permissions. This can be done by including specific resource types that the vulnerability allows to be injected, taking advantage of the fact that the API server's permissions can be used to elevate privileges.
Remediation
Users can update to Kargo versions 1.7.8, 1.8.11, or 1.9.3 to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.