FlyteAdmin Insufficient AccessToken Expiration Check
Moderate severity
GitHub Reviewed
Published
Jul 13, 2022
in
flyteorg/flyteadmin
•
Updated Feb 14, 2023
Package
Affected versions
< 1.1.31
Patched versions
1.1.31
Description
Published by the National Vulnerability Database
Jul 13, 2022
Published to the GitHub Advisory Database
Jul 15, 2022
Reviewed
Jul 15, 2022
Last updated
Feb 14, 2023
Impact
Authenticated users using an external identity provider can continue to use Access Tokens and ID Tokens even after they expire.
Using flyteadmin as the OAuth2 Authorization Server is unaffected by this issue.
Patches
1.1.30
Workarounds
Rotating signing keys immediately will:
Continue to rotate keys until flyteadmin has been upgraded,
Hide flyteadmin deployment ingress url from the internet.
References
flyteorg/flyteadmin#455
For more information
If you have any questions or comments about this advisory:
References