GoogleOSV:GHSA-QWRJ-9HMP-GPXHFlyteAdmin Insufficient AccessToken Expiration Check
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
32.5%
Impact
Authenticated users using an external identity provider can continue to use Access Tokens and ID Tokens even after they expire.
Using flyteadmin as the OAuth2 Authorization Server is unaffected by this issue.
Patches
1.1.30
Workarounds
Rotating signing keys immediately will:
- Invalidate all open sessions,
- Force all users to attempt to obtain new tokens.
Continue to rotate keys until flyteadmin has been upgraded,
Hide flyteadmin deployment ingress url from the internet.
References
https://github.com/flyteorg/flyteadmin/pull/455
For more information
If you have any questions or comments about this advisory:
- Open an issue in flyte repo
- Email us at flyte
| CPE | Name | Operator | Version |
|---|---|---|---|
| github.com/flyteorg/flyteadmin | lt | 1.1.31 |
References
github.com/flyteorg/flyteadmin
github.com/flyteorg/flyteadmin/commit/a1ec282d02706e074bc4986fd0412e5da3b9d00a
github.com/flyteorg/flyteadmin/pull/455
github.com/flyteorg/flyteadmin/releases/tag/v1.1.31
github.com/flyteorg/flyteadmin/security/advisories/GHSA-qwrj-9hmp-gpxh
nvd.nist.gov/vuln/detail/CVE-2022-31145
pkg.go.dev/vuln/GO-2022-0519
Related
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
32.5%