CVE-2023-41891

Published: Oct 30, 2023

Modified: Sep 6, 2024

PUBLISHED

CVSS v3.1

3.5

LOW

Description

FlyteAdmin is the control plane for Flyte responsible for managing entities and administering workflow executions. Prior to version 1.1.124, list endpoints on FlyteAdmin have a SQL vulnerability where a malicious user can send a REST request with custom SQL statements as list filters. The attacker needs to have access to the FlyteAdmin installation, typically either behind a VPN or authentication. Version 1.1.124 contains a patch for this issue.

Vendor	Product	Versions
flyteorg	flyteadmin	affected `< 1.1.124`

Weaknesses (CWE)

CWE-89

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

References

https://github.com/flyteorg/flyteadmin/security/advisories/GHSA-r847-6w6h-r8g4

x_refsource_CONFIRM

https://github.com/flyteorg/flyteadmin/commit/b3177ef70f068e908140b8a4a9913dfa74f289fd

x_refsource_MISC

https://owasp.org/www-community/attacks/SQL_Injection#

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-41891

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References