Executive Summary

In version 3.6.19 of prefecthq/prefect, there is an authentication bypass vulnerability caused by improper handling of URL path exemptions for health check probes.

The authentication middleware exempts any URL path ending with 'health' or 'ready' from authentication checks, allowing attackers to create resource names ending with these strings and access them without authentication.

Affected endpoints include variables, flows, work pools, work queues, and deployments.

This flaw allows unauthorized access to sensitive information such as API keys and database credentials stored in Prefect Variables.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive data within the Prefect system.

• Attackers can bypass authentication by exploiting the suffix-based exemption for URL paths ending with 'health' or 'ready'.
• They can access endpoints related to variables, flows, work pools, work queues, and deployments without proper authorization.
• Sensitive information such as API keys and database credentials stored in Prefect Variables may be exposed.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if any requests to Prefect endpoints with URL paths ending in "health" or "ready" are being allowed without authentication.

One way to detect this is to monitor network traffic or logs for requests to paths such as "/variables/*-health" or "/flows/*-ready" that do not require authentication.

You can use commands like curl to test if authentication is bypassed for crafted URLs. For example:

• curl -i http://<prefect-server>/variables/system-health
• curl -i http://<prefect-server>/flows/myflow-ready

If these requests return sensitive information without requiring authentication, the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, update Prefect to a version that includes the fix where the authentication middleware checks for exact path matches rather than suffix matches.

The fix ensures that only exact paths "/health" or "/ready" are exempt from authentication, preventing unauthorized access via crafted paths.

Until the update can be applied, consider restricting access to Prefect endpoints at the network level, such as by using firewall rules or API gateways to enforce authentication on all paths.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthorized access to sensitive information such as API keys and database credentials stored in Prefect Variables. Unauthorized access to such sensitive data can lead to non-compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

Specifically, the authentication bypass could result in exposure of confidential data, potentially violating data protection requirements and increasing the risk of data breaches.

Useful 0 Not Useful 0