Headline
CVE-2022-24856
FlyteConsole is the web user interface for the Flyte platform. FlyteConsole prior to version 0.52.0 is vulnerable to server-side request forgery (SSRF) when FlyteConsole is open to the general internet. An attacker can exploit any user of a vulnerable instance to access the internal metadata server or other unauthenticated URLs. Passing of headers to an unauthorized actor may occur. The patch for this issue deletes the entire cors_proxy, as this is not required for console anymore. A patch is available in FlyteConsole version 0.52.0. Disable FlyteConsole availability on the internet as a workaround.
Impact
Vulnerability type: server-side request forgery or SSRF
Every user of Flyte, where FlyteConsole is open to general internet is vulnerable to attack where the attacker can access the internal metadata server or other unauthenticated urls. It also passes the headers along, which can be very dangerous.
Patches
The patch deletes the entire cors_proxy as this is not required for console anymore.
The patch has been merged and and released. #389
Also, all previous versions of flyteconsole have been yanked and deleted.
Users should upgrade to flyteconsole v0.52.0 or later.
This is published as an image available here: https://github.com/orgs/flyteorg/packages/container/flyteconsole/19114769?tag=v0.52.0
Workarounds
Disable Flyteconsole availability on the internet
References
Not yet
For more information
If you have any questions or comments about this advisory:
- Email [email protected]