Vulnerabilities > CVE-2022-24856 - Unspecified vulnerability in Flyte Console
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
FlyteConsole is the web user interface for the Flyte platform. FlyteConsole prior to version 0.52.0 is vulnerable to server-side request forgery (SSRF) when FlyteConsole is open to the general internet. An attacker can exploit any user of a vulnerable instance to access the internal metadata server or other unauthenticated URLs. Passing of headers to an unauthorized actor may occur. The patch for this issue deletes the entire `cors_proxy`, as this is not required for console anymore. A patch is available in FlyteConsole version 0.52.0. Disable FlyteConsole availability on the internet as a workaround.
Vulnerable Configurations
References
- https://github.com/flyteorg/flyteconsole/commit/05b88ed2d2ecdb5d8a8404efea25414e57189709
- https://github.com/flyteorg/flyteconsole/commit/05b88ed2d2ecdb5d8a8404efea25414e57189709
- https://github.com/flyteorg/flyteconsole/pull/389
- https://github.com/flyteorg/flyteconsole/pull/389
- https://github.com/flyteorg/flyteconsole/releases/tag/v0.52.0
- https://github.com/flyteorg/flyteconsole/releases/tag/v0.52.0
- https://github.com/flyteorg/flyteconsole/security/advisories/GHSA-www6-hf2v-v9m9
- https://github.com/flyteorg/flyteconsole/security/advisories/GHSA-www6-hf2v-v9m9