GHSA-QWRJ-9HMP-GPXH

Vulnerability from github – Published: 2022-07-15 18:10 – Updated: 2023-02-09 20:22
VLAI?
Summary
FlyteAdmin Insufficient AccessToken Expiration Check
Details

Impact

Authenticated users using an external identity provider can continue to use Access Tokens and ID Tokens even after they expire. Using flyteadmin as the OAuth2 Authorization Server is unaffected by this issue.

Patches

1.1.30

Workarounds

Rotating signing keys immediately will: * Invalidate all open sessions, * Force all users to attempt to obtain new tokens.

Continue to rotate keys until flyteadmin has been upgraded,

Hide flyteadmin deployment ingress url from the internet.

References

https://github.com/flyteorg/flyteadmin/pull/455

For more information

If you have any questions or comments about this advisory: * Open an issue in flyte repo * Email us at flyte

Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/flyteorg/flyteadmin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.31"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-31145"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-298",
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-15T18:10:48Z",
    "nvd_published_at": "2022-07-13T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nAuthenticated users using an external identity provider can continue to use Access Tokens and ID Tokens even after they expire.\nUsing flyteadmin as the OAuth2 Authorization Server is unaffected by this issue.\n\n### Patches\n1.1.30\n\n### Workarounds\nRotating signing keys immediately will:\n* Invalidate all open sessions,\n* Force all users to attempt to obtain new tokens.\n\nContinue to rotate keys until flyteadmin has been upgraded,\n\nHide flyteadmin deployment ingress url from the internet.\n\n### References\nhttps://github.com/flyteorg/flyteadmin/pull/455\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [flyte repo](https://github.com/flyteorg/flyte/issues)\n* Email us at [flyte](mailto:admin@flyte.org)\n",
  "id": "GHSA-qwrj-9hmp-gpxh",
  "modified": "2023-02-09T20:22:10Z",
  "published": "2022-07-15T18:10:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/flyteorg/flyteadmin/security/advisories/GHSA-qwrj-9hmp-gpxh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31145"
    },
    {
      "type": "WEB",
      "url": "https://github.com/flyteorg/flyteadmin/pull/455"
    },
    {
      "type": "WEB",
      "url": "https://github.com/flyteorg/flyteadmin/commit/a1ec282d02706e074bc4986fd0412e5da3b9d00a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/flyteorg/flyteadmin"
    },
    {
      "type": "WEB",
      "url": "https://github.com/flyteorg/flyteadmin/releases/tag/v1.1.31"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2022-0519"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "FlyteAdmin Insufficient AccessToken Expiration Check"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.