6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
32.5%
Authenticated users using an external identity provider can continue to use Access Tokens and ID Tokens even after they expire.
Using flyteadmin as the OAuth2 Authorization Server is unaffected by this issue.
1.1.30
Rotating signing keys immediately will:
Continue to rotate keys until flyteadmin has been upgraded,
Hide flyteadmin deployment ingress url from the internet.
https://github.com/flyteorg/flyteadmin/pull/455
If you have any questions or comments about this advisory:
CPE | Name | Operator | Version |
---|---|---|---|
github.com/flyteorg/flyteadmin | lt | 1.1.31 |
github.com/flyteorg/flyteadmin
github.com/flyteorg/flyteadmin/commit/a1ec282d02706e074bc4986fd0412e5da3b9d00a
github.com/flyteorg/flyteadmin/pull/455
github.com/flyteorg/flyteadmin/releases/tag/v1.1.31
github.com/flyteorg/flyteadmin/security/advisories/GHSA-qwrj-9hmp-gpxh
nvd.nist.gov/vuln/detail/CVE-2022-31145
pkg.go.dev/vuln/GO-2022-0519