CVE-2022-31145

Name of the Vulnerable Software and Affected Versions FlyteAdmin versions 1.1.30 and prior

Description The issue concerns the improper validation of access tokens, allowing authenticated users who use an external identity provider to continue using Access Tokens and ID Tokens even after they expire. Users who use FlyteAdmin as the OAuth2 Authorization Server are unaffected by this issue.

Recommendations For FlyteAdmin versions 1.1.30 and prior, as a temporary workaround, consider rotating signing keys immediately to invalidate all open sessions and force all users to attempt to obtain new tokens. Continue to rotate keys until FlyteAdmin has been upgraded. Additionally, hide the FlyteAdmin deployment ingress URL from the internet. Once a patch is available, upgrade to the patched version on the master branch of the repository.