{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-17T05:01:59.544","vulnerabilities":[{"cve":{"id":"CVE-2022-39273","sourceIdentifier":"security-advisories@github.com","published":"2022-10-06T18:16:15.160","lastModified":"2024-11-21T07:17:55.890","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"FlyteAdmin is the control plane for the data processing platform Flyte. Users who enable the default Flyte’s authorization server without changing the default clientid hashes will be exposed to the public internet. In an effort to make enabling authentication easier for Flyte administrators, the default configuration for Flyte Admin allows access for Flyte Propeller even after turning on authentication via a hardcoded hashed password. This password is also set on the default Flyte Propeller configmap in the various Flyte Helm charts. Users who enable auth but do not override this setting in Flyte Admin’s configuration may unbeknownst to them be allowing public traffic in by way of this default password with attackers effectively impersonating propeller. This only applies to users who have not specified the ExternalAuthorizationServer setting. Usage of an external auth server automatically turns off this default configuration and are not susceptible to this vulnerability. This issue has been addressed in version 1.1.44. Users should manually set the staticClients in the selfAuthServer section of their configuration if they intend to rely on Admin’s internal auth server. Again, users who use an external auth server are automatically protected from this vulnerability."},{"lang":"es","value":"FlyteAdmin es el plano de control de la plataforma de procesamiento de datos Flyte. Los usuarios que habiliten el servidor de autorización de Flyte por defecto sin cambiar los hashes clientid por defecto estarán expuestos a la Internet pública. En un esfuerzo por hacer más fácil la habilitación de la autenticación para los administradores de Flyte, la configuración por defecto para Flyte Admin permite el acceso para Flyte Propeller incluso después de activar la autenticación por medio de una contraseña hash embebida. Esta contraseña también es establecido en el mapa de configuración por defecto de Flyte Propeller en los distintos cuadros de Flyte Helm. Los usuarios que habilitan la autenticación pero no anulan este ajuste en la configuración de Flyte Admin pueden, sin saberlo, estar permitiendo la entrada de tráfico público mediante esta contraseña por defecto con atacantes suplantando efectivamente a Propeller. Esto sólo es aplicado a usuarios que no han especificado la configuración de ExternalAuthorizationServer. El uso de un servidor de autenticación externo desactiva automáticamente esta configuración por defecto y no son susceptibles de esta vulnerabilidad. Este problema ha sido abordado en versión 1.1.44. Los usuarios deben establecer manualmente los staticClients en la sección selfAuthServer de su configuración si pretenden confiar en el servidor de autenticación interno de Admin. De nuevo, los usuarios que usan un servidor de autenticación externo están automáticamente protegidos de esta vulnerabilidad"}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N","baseScore":4.8,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":2.5},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-798"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:flyte:flyteadmin:*:*:*:*:*:*:*:*","versionEndExcluding":"1.1.44","matchCriteriaId":"D6C9DF17-FAEE-4B41-8305-F2E15C61D678"}]}]}],"references":[{"url":"https://docs.flyte.org/en/latest/deployment/cluster_config/auth_setup.html#oauth2-authorization-server","source":"security-advisories@github.com","tags":["Vendor Advisory"]},{"url":"https://github.com/flyteorg/flyteadmin/pull/478","source":"security-advisories@github.com","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/flyteorg/flyteadmin/security/advisories/GHSA-67x4-qr35-qvrm","source":"security-advisories@github.com","tags":["Third Party Advisory"]},{"url":"https://docs.flyte.org/en/latest/deployment/cluster_config/auth_setup.html#oauth2-authorization-server","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Vendor Advisory"]},{"url":"https://github.com/flyteorg/flyteadmin/pull/478","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/flyteorg/flyteadmin/security/advisories/GHSA-67x4-qr35-qvrm","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]}]}}]}