CVE-2022-24856
CRITICAL NUCLEIFlyteConsole < 0.52.0 - Server-Side Request Forgery via CORS Proxy
Title source: llmExploitation Summary
CVE-2022-24856 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.
Description
FlyteConsole is the web user interface for the Flyte platform. FlyteConsole prior to version 0.52.0 is vulnerable to server-side request forgery (SSRF) when FlyteConsole is open to the general internet. An attacker can exploit any user of a vulnerable instance to access the internal metadata server or other unauthenticated URLs. Passing of headers to an unauthorized actor may occur. The patch for this issue deletes the entire `cors_proxy`, as this is not required for console anymore. A patch is available in FlyteConsole version 0.52.0. Disable FlyteConsole availability on the internet as a workaround.
Nuclei Templates (1)
Flyte Console <0.52.0 - Server-Side Request Forgery
HIGHby pdteam
References (4)
Core 4
Core References
Third Party Advisory x_refsource_confirm
https://github.com/flyteorg/flyteconsole/security/advisories/GHSA-www6-hf2v-v9m9
Patch, Third Party Advisory x_refsource_misc
https://github.com/flyteorg/flyteconsole/pull/389
Patch, Third Party Advisory x_refsource_misc
https://github.com/flyteorg/flyteconsole/commit/05b88ed2d2ecdb5d8a8404efea25414e57189709
Third Party Advisory x_refsource_misc
https://github.com/flyteorg/flyteconsole/releases/tag/v0.52.0
Scores
CVSS v3
9.1
EPSS
0.0966
EPSS Percentile
94.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-918
Status
published
Products (1)
flyte/flyte_console
< 0.52.0
Published
May 17, 2022
Tracked Since
Feb 18, 2026