Temporal Web UI Unauthenticated Access Scanner

Temporal Web UI is used by organizations for the visualization and management of workflows. It provides a user interface for developers and operations teams to interact with the Temporal backend allowing them to start, stop, and monitor workflows efficiently. It is often deployed internally within a company's IT infrastructure but can also be accessed over the internet for remote operations. The Web UI is an essential component for maintaining operational oversight in complex distributed systems. Depending on its configuration, it can be used across various platforms and environments including cloud and on-premises infrastructures. Organizations that handle large volumes of background jobs or need robust workflow management solutions typically use Temporal Web UI.

Unauthenticated Access occurs when a web application allows users to interact with it without requiring them to prove their identity. In the context of the Temporal Web UI, this means potential unauthorized users can gain entry to the system and interact with workflows or obtain sensitive information without proper credentials. This vulnerability can allow unauthorized individuals or processes to access or modify the application's data, potentially disrupting services or exposing confidential information. It compromises the integrity of the application and poses a security risk that can be exploited by malicious actors. Securing access by implementing proper authentication mechanisms is vital to protecting the system. Effective mitigation involves enforcing authentication and authorization policies to restrict access.

The Temporal Web UI is vulnerable due to its lack of enforced authentication on its endpoints. The vulnerable endpoints include access to assets such as "/favicon.ico" and /api/v1/namespaces/default/workflows?query=", which should be protected but are instead accessible without login. Technical details reveal that a user can check the favicon or make workflow queries without being prompted for login credentials. This improper configuration allows anyone with network access to interact with the Temporal Web UI. Ensuring that the Temporal Web UI only responds to authenticated requests is crucial to maintaining security. The template detection involves checking the HTTP status codes and their content to verify if unprotected access is feasible.

If this vulnerability is exploited, unauthorized individuals may potentially tamper with ongoing workflows or acquire sensitive information, leading to disrupted services. Extracting or altering workflows can result in process failures or data integrity issues. Attackers could leverage this access to perform further reconnaissance within the network. It can also lead to information leakage, where sensitive data could be exposed to unintended parties. In an enterprise setting, this could potentially lead to data breaches and loss of intellectual property. Implementing a robust authentication protocol is essential to minimizing these risks.

REFERENCES

• https://docs.temporal.io/web-ui