CVE-2022-39273

Name of the Vulnerable Software and Affected Versions FlyteAdmin versions prior to 1.1.44

Description The default authorization server's configuration settings contain a known hardcoded hashed password. Users who enable authentication without changing the default clientid hashes will be exposed to the public internet. Attackers can effectively impersonate propeller by using this default password, allowing public traffic in. This issue only applies to users who have not specified the ExternalAuthorizationServer setting. Using an external auth server automatically turns off this default configuration and protects against this issue.

Recommendations For versions prior to 1.1.44, users should manually set the staticClients in the selfAuthServer section of their configuration if they intend to rely on Admin’s internal auth server. As a temporary workaround, consider disabling the default authorization server until a patch is available. Restrict access to the default Flyte Propeller configmap to minimize the risk of exploitation. Avoid using the default clientid hashes in the authorization server configuration until the issue is resolved.