Kargo Open Redirect Vulnerability in OIDC Login Flow

An open redirect vulnerability has been identified in Kargo, affecting versions prior to 1.7.10, 1.8.13, 1.9.8, and 1.10.2. The issue arises in the user interface during the OpenID Connect (OIDC) login process, where the 'redirectTo' query parameter is not properly validated. This flaw allows for redirection to external sites after authentication, potentially leading to phishing attacks. The vulnerability is present in the Kargo UI, which reads the 'redirectTo' parameter on the '/login' and '/token-renew' routes. After successful OIDC authentication, the UI navigates to the specified URL, which can be an external origin controlled by an attacker.

Impact

Exploitation of this vulnerability enables open redirection to an attacker-controlled URL, creating a phishing opportunity where the attacker can impersonate Kargo or an associated identity provider to steal credentials from the user.

Reproduction

To reproduce this vulnerability, send a crafted link that includes a 'redirectTo' query parameter pointing to an external site. The link should be delivered to a victim through a channel that allows link sharing. Once the victim clicks the link and signs into Kargo, they will be redirected to the specified external site, bypassing the intended navigation flow.

Remediation

Users can update to Kargo versions 1.7.10, 1.8.13, 1.9.8, or 1.10.2 to address this vulnerability.