Enhancement: cves/2022/CVE-2022-24856.yaml by mp

cves/2022/CVE-2022-24856.yaml

@@ -1,11 +1,12 @@
 id: CVE-2022-24856
 
 info:
-  name: Flyte Console < 0.52.0 - Server Side Request Forgery (SSRF)
+  name: Flyte Console <0.52.0 - Server-Side Request Forgery
   author: pdteam
   severity: high
   description: |
-    FlyteConsole is the web user interface for the Flyte platform. FlyteConsole prior to version 0.52.0 is vulnerable to server-side request forgery (SSRF) when FlyteConsole is open to the general internet. An attacker can exploit any user of a vulnerable instance to access the internal metadata server or other unauthenticated URLs. Passing of headers to an unauthorized actor may occur. The patch for this issue deletes the entire `cors_proxy`, as this is not required for console anymore. A patch is available in FlyteConsole version 0.52.0. Disable FlyteConsole availability on the internet as a workaround.
+    FlyteConsole prior to version 0.52.0 is vulnerable to server-side request forgery (SSRF) when FlyteConsole is open to the general internet. An attacker can exploit any user of a vulnerable instance to access the internal metadata server or other unauthenticated URLs. Passing of headers to an unauthorized actor may occur.
+  remediation: FlyteConsole is the web user interface for the Flyte platform. The patch for this issue deletes the entire `cors_proxy`, as this is not required for console anymore. A patch is available in FlyteConsole version 0.52.0. Or, disable FlyteConsole availability on the internet as a workaround.
   reference:
     - https://github.com/flyteorg/flyteconsole/security/advisories/GHSA-www6-hf2v-v9m9
     - https://github.com/flyteorg/flyteconsole/pull/389
@@ -27,3 +28,5 @@ requests:
       - type: word
         words:
           - "Interactsh Server"
+
+# Enhanced by mp on 2022/06/29