GHSA-qwrj-9hmp-gpxh

Suggest an improvement
Source
https://github.com/advisories/GHSA-qwrj-9hmp-gpxh
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-qwrj-9hmp-gpxh/GHSA-qwrj-9hmp-gpxh.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-qwrj-9hmp-gpxh
Aliases
Published
2022-07-15T18:10:48Z
Modified
2023-11-08T04:09:27.482212Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
FlyteAdmin Insufficient AccessToken Expiration Check
Details

Impact

Authenticated users using an external identity provider can continue to use Access Tokens and ID Tokens even after they expire. Using flyteadmin as the OAuth2 Authorization Server is unaffected by this issue.

Patches

1.1.30

Workarounds

Rotating signing keys immediately will: * Invalidate all open sessions, * Force all users to attempt to obtain new tokens.

Continue to rotate keys until flyteadmin has been upgraded,

Hide flyteadmin deployment ingress url from the internet.

References

https://github.com/flyteorg/flyteadmin/pull/455

For more information

If you have any questions or comments about this advisory: * Open an issue in flyte repo * Email us at flyte

References

Affected packages

Go / github.com/flyteorg/flyteadmin

Package

Name
github.com/flyteorg/flyteadmin
View open source insights on deps.dev
Purl
pkg:golang/github.com/flyteorg/flyteadmin

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.1.31