Pontushanssen

**Name of the Vulnerable Software and Affected Versions** Kargo versions prior to 1.7.10 Kargo versions prior to 1.8.13 Kargo versions prior to 1.9.8 Kargo versions prior to 1.10.2 **Description** Kargo, which manages and automates the promotion of software artifacts, contains an open redirect in the UI OIDC login flow. This occurs via the `redirectTo` query parameter. **Recommendations** Update to version 1.7.10. Update to version 1.8.13. Update to version 1.9.8. Update to version 1.10.2.

**Name of the Vulnerable Software and Affected Versions** authentik versions prior to 2024.8.5 authentik version 2024.8.5 and 2024.10.3 are not affected, but all versions prior to 2024.8.5 are vulnerable. However, the correct interpretation is that versions prior to 2024.8.5 are affected. Corrected version: authentik versions prior to 2024.8.5 **Description** The issue concerns authentik, an open-source identity provider. In the OAuth2 provider, Redirect URIs are checked by RegEx comparison. When no Redirect URIs are configured in a provider, authentik automatically uses the first redirect uri value received as an allowed redirect URI without escaping characters that have a special meaning in RegEx. This allows an attacker to bypass redirect URI validation. For example, given a provider with the Redirect URIs set to https://foo.example.com, an attacker can register a domain fooaexample.com, which will pass validation. **Recommendations** For versions prior to 2024.8.5, upgrade to version 2024.8.5 or 2024.10.3 to resolve the issue. As a temporary workaround, when configuring OAuth2 providers, make sure to escape any wildcard characters that are not intended to function as a wildcard, for example, replace `.` with `.`.