Prefect WebSocket Endpoint Missing Authentication Vulnerability

A vulnerability exists in PrefectHQ Prefect versions prior to 3.6.14, specifically within the WebSocket endpoint at '/api/events/in'. This flaw allows remote attackers to connect without authentication and inject arbitrary events. The issue arises because the endpoint does not properly enforce authentication, even when the 'PREFECT_SERVER_API_AUTH_STRING' is set. As a result, injected events bypass security measures and can disrupt the application's event handling and automation processes.

Impact

Exploitation of this vulnerability allows for unauthorized event injection into the Prefect automation system. Injected events are processed and can trigger various automated workflows, potentially leading to unauthorized actions within the application.

Reproduction

The vulnerability can be reproduced by connecting to the WebSocket endpoint '/api/events/in' without any authentication. This can be done using a WebSocket client that does not include the required auth tokens or subprotocols. Once connected, arbitrary JSON events can be sent through the WebSocket, which will be accepted and processed by the Prefect server.

Remediation

Users are advised to upgrade to Prefect version 3.6.14, which addresses this vulnerability by adding the necessary authentication requirements to the WebSocket endpoint.