Skip to content
This repository has been archived by the owner on Oct 9, 2023. It is now read-only.

Insufficient AccessToken Expiration Check

High
EngHabu published GHSA-qwrj-9hmp-gpxh Jul 13, 2022

Package

gomod github.com/flyteorg/flyteadmin (Go)

Affected versions

< 1.1.29

Patched versions

1.1.29

Description

Impact

Authenticated users using an external identity provider can continue to use Access Tokens and ID Tokens even after they expire.
Using flyteadmin as the OAuth2 Authorization Server is unaffected by this issue.

Patches

1.1.30

Workarounds

Rotating signing keys immediately will:

  • Invalidate all open sessions,
  • Force all users to attempt to obtain new tokens.

Continue to rotate keys until flyteadmin has been upgraded,

Hide flyteadmin deployment ingress url from the internet.

References

#455

For more information

If you have any questions or comments about this advisory:

Severity

High

CVE ID

CVE-2022-31145

Weaknesses

No CWEs

Credits