+ "details": "## Summary\n\nKargo's built-in `http` and `http-download` promotion steps execute outbound HTTP requests from the Kargo controller. By design, these steps do not restrict destination addresses, as there are legitimate use cases for requests to internal and private endpoints. However, this also permits requests to link-local addresses, for which there are no known, legitimate use cases. Of particular concern is the cloud instance metadata endpoint (often `169.254.169.254`), which is unauthenticated and can expose sensitive configuration data including IAM credentials. While cloud providers typically implement header-based SSRF mitigations for these endpoints, the `http` step provides full control over request method and headers, rendering these protections ineffective. The `http-download` step provides control over headers only (not method), but this is still sufficient for exfiltrating data from metadata endpoints.\n\nThere are two vectors for exploitation. A user with permission to create or update a Stage can configure its promotion template to include malicious `http` or `http-download` steps. Alternatively, a user with `promote` permission on any Stage can craft a Promotion resource directly. In either case, the controller executes the steps in-cluster, and response data can be inserted into Promotion status fields, written to a Git repository, or sent to a remote location using a second instance of the `http` step.\n\nThe remediation for this issue is the introduction of a safe HTTP transport that refuses to dial link-local addresses. Requests to private and internal addresses will continue to be permitted, as this is by design. It is the responsibility of services at such addresses to implement proper authentication and authorization, and/or the responsibility of platform teams to define and enforce network policies that restrict traffic appropriately.\n\n## Base Metrics\n\nThe following sections provide the rationale for the values selected for each of CVSS v4's base metrics.\n\n### Attack Vector (AV): Network\n\nThe Kargo API server is accessible over HTTP/HTTPS. No local, adjacent network, or physical access is required.\n\n### Attack Complexity (AC): Low\n\nExploitation requires only a crafted Promotion manifest submitted via the Kargo API. No race conditions, non-default configurations, or prior information gathering is required.\n\n### Attack Requirements (AT): None\n\nNo specific environmental conditions are required beyond a standard Kargo deployment. The `http` and `http-download` built-in steps are always available.\n\n### Privileges Required (PR): High\n\nThe attacker must be authenticated to the Kargo API server and hold permissions sufficient to create or update a Stage, or to craft a Promotion resource directly. Although these may not be considered administrative permissions, they are non-trivial, not granted broadly by default, and must be explicitly assigned by a project administrator.\n\n### User Interaction (UI): None\n\nThe attack is fully automated via API calls. No other user needs to take any action. The controller processes the malicious Promotion without human intervention.\n\n### Confidentiality Impact to Vulnerable System (VC): None\n\nKargo itself does not expose its own secrets or configuration data through this vulnerability. The impact is to other systems reachable from the controller's network position, not to Kargo's own data.\n\n### Integrity Impact to Vulnerable System (VI): None\n\nKargo's own data and configuration are not modified by this vulnerability. While malicious Promotion resources are created, they function within Kargo's normal processing pipeline.\n\n### Availability Impact to Vulnerable System (VA): None\n\nThis vulnerability does not enable denial of service against Kargo. Each Promotion executes a bounded set of HTTP requests and does not consume disproportionate resources.\n\n### Confidentiality Impact to Subsequent Systems (SC): Low\n\nThe controller runs in-cluster and can reach link-local addresses, including cloud instance metadata endpoints. These endpoints are unauthenticated and can expose sensitive data such as IAM credentials. Provider-side header-based SSRF mitigations are ineffective because these steps provide full control over request headers.\n\n### Integrity Impact to Subsequent Systems (SI): None\n\nCloud instance metadata endpoints are read-only. While the `http` step supports arbitrary HTTP methods, the only unintended access enabled by this vulnerability is to link-local addresses, and these do not accept state-changing requests.\n\n### Availability Impact to Subsequent Systems (SA): None\n\nA single HTTP request per promotion step does not constitute a meaningful denial-of-service vector against subsequent systems. There is no amplification mechanism.\n\n## Mitigating Factors\n\n- Exploitation requires authentication to the Kargo API server with permissions to create or update Stages, or to craft Promotion resources directly. These permissions must be explicitly granted by a project administrator.\n\n- All Promotion creation is audited. The creating user's identity is recorded in annotations and Kubernetes events, providing a clear forensic trail.\n\n- The practical impact is limited to cloud instance metadata endpoints. Access to private and internal addresses is by design, and services at those addresses are expected to implement their own authentication and authorization.",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments