CVE-2022-31145 – github.com/flyteorg/flyteadmin

Package

Manager: go
Name: github.com/flyteorg/flyteadmin
Vulnerable Version: >=0 <1.1.31

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00393 pctl0.59513

Details

FlyteAdmin Insufficient AccessToken Expiration Check ### Impact Authenticated users using an external identity provider can continue to use Access Tokens and ID Tokens even after they expire. Using flyteadmin as the OAuth2 Authorization Server is unaffected by this issue. ### Patches 1.1.30 ### Workarounds Rotating signing keys immediately will: * Invalidate all open sessions, * Force all users to attempt to obtain new tokens. Continue to rotate keys until flyteadmin has been upgraded, Hide flyteadmin deployment ingress url from the internet. ### References https://github.com/flyteorg/flyteadmin/pull/455 ### For more information If you have any questions or comments about this advisory: * Open an issue in [flyte repo](https://github.com/flyteorg/flyte/issues) * Email us at [flyte](mailto:admin@flyte.org)

Metadata

Created: 2022-07-15T18:10:48Z
Modified: 2023-02-09T20:22:10Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-qwrj-9hmp-gpxh/GHSA-qwrj-9hmp-gpxh.json
CWE IDs: ["CWE-298", "CWE-613"]
Alternative ID: GHSA-qwrj-9hmp-gpxh
Finding: F076
Auto approve: 1