Prefect Health Check API Authentication Bypass Vulnerability

An authentication bypass vulnerability has been identified in PrefectHQ Prefect versions prior to 3.6.22. The issue resides in the Health Check API, specifically within the 'endswith' function of the '/api/health' endpoint. This vulnerability allows improper authentication handling, which can be exploited remotely. The flaw has been publicly disclosed and is actively being exploited.

Impact

Exploitation of this vulnerability allows unauthorized access to certain API endpoints, bypassing authentication requirements. This could lead to unauthorized users accessing sensitive information or performing actions that require authentication.

Reproduction

The vulnerability can be reproduced by sending a GET request to the '/api/health' endpoint while the 'PREFECT_SERVER_API_AUTH_STRING' environment variable is set, enabling authentication. The health check will incorrectly exempt authentication, allowing access to other endpoints that should require it.

Remediation

Users are advised to upgrade to Prefect version 3.6.22, which addresses the authentication bypass issue. Instructions for updating can be found in the Prefect documentation.