Kargo manages and automates the promotion of software artifacts. Prior to versions 1.8.7, 1.7.7, and 1.6.3, a bug was found with authentication checks on the `GetConfig()` API endpoint. This allowed unauthenticated users to access this endpoint by specifying an `Authorization` header with any non-empty `Bearer` token value, regardless of validity. This vulnerability did allow for exfiltration of configuration data such as endpoints for connected Argo CD clusters. This data could allow an attacker to enumerate cluster URLs and namespaces for use in subsequent attacks. Additionally, the same bug affected the `RefreshResource` endpoint. This endpoint does not lead to any information disclosure, but could be used by an unauthenticated attacker to perform a denial-of-service style attack against the Kargo API. `RefreshResource` sets an annotation on specific Kubernetes resources to trigger reconciliations. If run on a constant loop, this could also slow down legitimate requests to the Kubernetes API server. This problem has been patched in Kargo versiosn 1.8.7, 1.7.7, and 1.6.3. There are no workarounds for this issue.
Kargo versions prior to 1.8.7, 1.7.7, and 1.6.3 contain an authentication bypass vulnerability in GetConfig() and RefreshResource endpoints that allows unauthenticated users with any non-empty Bearer token to access sensitive configuration data and perform denial-of-service attacks. This vulnerability enables attackers to enumerate Argo CD cluster URLs and namespaces for subsequent exploitation.
تحتوي إصدارات Kargo السابقة للإصدار 1.8.7 و 1.7.7 و 1.6.3 على خلل في فحوصات المصادقة في نقطة نهاية GetConfig() التي تسمح للمستخدمين غير المصرح لهم بالوصول إلى بيانات التكوين الحساسة مثل نقاط نهاية مجموعات Argo CD المتصلة. يمكن لنفس الخلل أن يؤثر على نقطة نهاية RefreshResource مما يسمح بهجمات رفض الخدمة.
Kargo versions prior to 1.8.7, 1.7.7, and 1.6.3 contain an authentication bypass vulnerability in GetConfig() and RefreshResource endpoints that allows unauthenticated users with any non-empty Bearer token to access sensitive configuration data and perform denial-of-service attacks. This vulnerability enables attackers to enumerate Argo CD cluster URLs and namespaces for subsequent exploitation.
Upgrade Kargo to version 1.8.7, 1.7.7, or 1.6.3 or later immediately. Implement network-level access controls to restrict API endpoint access. Validate and verify all Bearer tokens before processing requests. Monitor API logs for suspicious authentication attempts with invalid tokens.
قم بترقية Kargo إلى الإصدار 1.8.7 أو 1.7.7 أو 1.6.3 أو أحدث فوراً. قم بتنفيذ عناصر تحكم الوصول على مستوى الشبكة لتقييد الوصول إلى نقاط النهاية. تحقق من جميع رموز Bearer قبل معالجة الطلبات. راقب سجلات API للكشف عن محاولات مصادقة مريبة برموز غير صالحة.