CVE-2023-6022: Prefect Cross Site Request Forgery
First published: Thu Nov 16 2023(Updated: )
An attacker is able to steal secrets and potentially gain remote code execution via CSRF using the Prefect API.
An attacker is able to steal secrets and potentially gain remote code execution via CSRF using a self-hosted, open source Prefect API.
Credit: security@huntr.dev security@huntr.dev
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Prefect Prefect | ||
| pip/prefect | >=2.0.0<2.14.3 | 2.14.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-6022?
CVE-2023-6022 is a vulnerability that allows an attacker to steal secrets and potentially gain remote code execution via Cross-Site Request Forgery (CSRF) using the Prefect API.
How severe is CVE-2023-6022?
CVE-2023-6022 has a severity level of 8.8 (high).
How does CVE-2023-6022 work?
CVE-2023-6022 allows an attacker to perform CSRF attacks by tricking a user into visiting a specially crafted website or clicking a malicious link, which then leads to the theft of secrets and potential remote code execution.
What software is affected by CVE-2023-6022?
The Prefect software is affected by CVE-2023-6022.
Is there a fix for CVE-2023-6022?
To fix CVE-2023-6022, it is recommended to update Prefect to the latest version or apply any available patches or security updates provided by the vendor.
- collector/mitre-cve
- collector/nvd-api
- collector/github-advisory-latest
- alias/GHSA-4hh5-2678-83fx
- alias/CVE-2023-6022
- collector/nvd-cve
- vendor/prefect
- product/prefect
- canonical/prefect prefect
- package-manager/pip