CVE-2022-31145

Published: Jul 13, 2022

Modified: Apr 23, 2025

PUBLISHED

CVSS v3.1

6.5

MEDIUM

Description

FlyteAdmin is the control plane for Flyte responsible for managing entities and administering workflow executions. In versions 1.1.30 and prior, authenticated users using an external identity provider can continue to use Access Tokens and ID Tokens even after they expire. Users who use FlyteAdmin as the OAuth2 Authorization Server are unaffected by this issue. A patch is available on the `master` branch of the repository. As a workaround, rotating signing keys immediately will invalidate all open sessions and force all users to attempt to obtain new tokens. Those who use this workaround should continue to rotate keys until FlyteAdmin has been upgraded and hide FlyteAdmin deployment ingress URL from the internet.

Vendor	Product	Versions
flyteorg	flyteadmin	affected `<= 1.1.30`

Weaknesses (CWE)

CWE-613

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

References

https://github.com/flyteorg/flyteadmin/security/advisories/GHSA-qwrj-9hmp-gpxh

x_refsource_CONFIRM

https://github.com/flyteorg/flyteadmin/pull/455

x_refsource_MISC

https://github.com/flyteorg/flyteadmin/commit/a1ec282d02706e074bc4986fd0412e5da3b9d00a

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2022-31145

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References