Vulnerability Report: GO-2022-1043

CVE-2022-39273, GHSA-67x4-qr35-qvrm
Affects: github.com/flyteorg/flyteadmin
Published: Oct 31, 2022
Modified: May 20, 2024

Default authorization server's configuration settings contain a known hardcoded hashed password. Users who enable auth but do not override this setting may unknowingly allow public traffic in by way of this default password with attackers effectively impersonating propeller.

For detailed information about this vulnerability, visit https://github.com/advisories/GHSA-67x4-qr35-qvrm.

Affected Packages

Path

Go Versions

Symbols
github.com/flyteorg/flyteadmin/auth/config

from v1.0.0 before v1.1.44

all symbols

Aliases

CVE-2022-39273
GHSA-67x4-qr35-qvrm

References

https://github.com/advisories/GHSA-67x4-qr35-qvrm
https://github.com/flyteorg/flyteadmin/pull/478
https://docs.flyte.org/en/latest/deployment/cluster_config/auth_setup.html#oauth2-authorization-server
https://vuln.go.dev/ID/GO-2022-1043.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL