AIKIDO-2024-10407

prefect is vulnerable to Server-side Request Forgery (SSRF)

High

prefect python

AIKIDO-2024-10407: prefect is vulnerable to Server-side Request Forgery (SSRF) in versions 2.8.0 - 2.20.10 and 3.0.0 - 3.0.1.

Server-side Request Forgery (SSRF)

Vuln in 2.8.0 - 2.20.10

Fixed in 2.20.11

Vuln in 3.0.0 - 3.0.1

Fixed in 3.0.2

No CVE available

TL;DR

Affected versions of the package are vulnerable to server-side request forgery (SSRF). If a user is self-hosting a Prefect API that they expose to "external" users of any kind, it's possible for a malicious user to configure a notification URL that points to an internal API (e.g., an internal Cloud provider API), which could result in comprising information exposure.

Who does this affect?

You're affected if you are using a version which is within vulnerability ranges.

How can it be fixed?

Upgrade prefect library to patch version.

Background info

Link to vendor website

🇪🇺 Grauwpoort 1, 9000 Ghent, Belgium

🇺🇸 95 Third St, 2nd Fl, San Francisco, CA 94103, US

AIKIDO-2024-10407

prefect is vulnerable to Server-side Request Forgery (SSRF)

prefect python

AIKIDO-2024-10407: prefect is vulnerable to Server-side Request Forgery (SSRF) in versions 2.8.0 - 2.20.10 and 3.0.0 - 3.0.1.

Don’t be left in the dark