prefect@2.20.24

Workflow orchestration and management.

  • latest version

    3.7.7.dev1

  • first published

    7 years ago

  • latest version published

    1 days ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the prefect package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Incorrect Authorization

    prefect is a Prefect is a new workflow management system, designed for modern infrastructure and powered by the open-source Prefect Core workflow engine. Users organize Tasks into Flows, and Prefect takes care of the rest.

    Affected versions of this package are vulnerable to Incorrect Authorization due to improper handling of URL path exemptions in the authentication middleware. An attacker can gain unauthorized access to sensitive information by creating resources with names ending in health or ready and accessing endpoints without authentication.

    How to fix Incorrect Authorization?

    Upgrade prefect to version 3.6.22.dev7 or higher.

    [,3.6.22.dev7)
    • H
    Arbitrary Argument Injection

    prefect is a Prefect is a new workflow management system, designed for modern infrastructure and powered by the open-source Prefect Core workflow engine. Users organize Tasks into Flows, and Prefect takes care of the rest.

    Affected versions of this package are vulnerable to Arbitrary Argument Injection via the reference field in the GitHubRepository block, which is concatenated directly into a git clone command string without proper sanitization and then parsed by shlex.split(). An attacker can execute arbitrary git command-line options by supplying crafted input, potentially leading to server-side request forgery, credential theft, or remote code execution.

    How to fix Arbitrary Argument Injection?

    There is no fixed version for prefect.

    [0,)
    • L
    Arbitrary Argument Injection

    prefect is a Prefect is a new workflow management system, designed for modern infrastructure and powered by the open-source Prefect Core workflow engine. Users organize Tasks into Flows, and Prefect takes care of the rest.

    Affected versions of this package are vulnerable to Arbitrary Argument Injection via the commit_sha and directories arguements to GitRepository.__init__ in storage.py. An attacker who can modify prefect.yaml or otherwise pass parameters into a git pull action can cause the worker process to hang indefinitely, or under some conditions, execute unintended commands on the remote host, by injecting strings beginning with -- into the vulnerable arguments.

    For remote code execution by injecting a payload such as commit_sha = "--upload-pack=cmd", the following conditions must be met:

    • The repository accessible to the attacker is shared.

    • That repository is accessible via git commands over SSH.

    • The host is configured to accept arbitrary --upload-pack paths.

    How to fix Arbitrary Argument Injection?

    Upgrade prefect to version 3.6.25.dev7 or higher.

    [,3.6.25.dev7)
    • M
    Time-of-check Time-of-use (TOCTOU) Race Condition

    prefect is a Prefect is a new workflow management system, designed for modern infrastructure and powered by the open-source Prefect Core workflow engine. Users organize Tasks into Flows, and Prefect takes care of the rest.

    Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition in the validate_restricted_url() function of the Webhook and CustomWebhookNotificationBlock components, which enables DNS rebinding attacks. When allow_private_urls is set to False, an attacker can bypass intended URL restrictions by returning a public IP address first, which passes validation, and then a private one at the time of the actual connection.

    How to fix Time-of-check Time-of-use (TOCTOU) Race Condition?

    Upgrade prefect to version 3.6.28.dev2 or higher.

    [,3.6.28.dev2)
    • M
    Improper Authentication

    prefect is a Prefect is a new workflow management system, designed for modern infrastructure and powered by the open-source Prefect Core workflow engine. Users organize Tasks into Flows, and Prefect takes care of the rest.

    Affected versions of this package are vulnerable to Improper Authentication in the health check middleware API, which relies on an endswith() function to generate responses to unauthenticated GET requests. An attacker can access files that are accessible via the legitimate path to the endpoint and have the suffix ready or health, but cannot control the filenames or their contents.

    How to fix Improper Authentication?

    Upgrade prefect to version 3.6.22.dev7 or higher.

    [,3.6.22.dev7)
    • M
    Missing Authentication for Critical Function

    prefect is a Prefect is a new workflow management system, designed for modern infrastructure and powered by the open-source Prefect Core workflow engine. Users organize Tasks into Flows, and Prefect takes care of the rest.

    Affected versions of this package are vulnerable to Missing Authentication for Critical Function at the /api/events/in endpoint. An attacker can send JSON events into an existing stream, which can at least pollute the stream and at worst trigger automations if they know the details of a given target's subscription. This is possible without authentication, even when PREFECT_SERVER_API_AUTH_STRING is set, because subscriptions.accept_prefect_socket() is never applied before allowing a connection on the vulnerable endpoint.

    How to fix Missing Authentication for Critical Function?

    Upgrade prefect to version 3.6.14.dev5 or higher.

    [,3.6.14.dev5)