Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-r847-6w6h-r8g4: Flyte Admin SQL Injection in List Filters

Impact

List endpoints on Flyte Admin has a SQL vulnerability where a malicious user can send a REST requests with custom SQL statements as list filters.

Workarounds

The attacker needs to have access to the flyteadmin installation (typically either behind a VPN or authentication).

References

https://owasp.org/www-community/attacks/SQL_Injection#

ghsa
Open in Source
#sql#vulnerability#git#auth

Package

gomod github.com/flyteorg/flyteadmin (Go)

Affected versions

< 1.1.124

Patched versions

1.1.124

Description

Impact

List endpoints on Flyte Admin has a SQL vulnerability where a malicious user can send a REST requests with custom SQL statements as list filters.

Workarounds

The attacker needs to have access to the flyteadmin installation (typically either behind a VPN or authentication).

References

https://owasp.org/www-community/attacks/SQL_Injection#

References

  • GHSA-r847-6w6h-r8g4
  • flyteorg/flyteadmin@b3177ef

eapolinario published to flyteorg/flyteadmin

Oct 27, 2023

Published to the GitHub Advisory Database

Oct 27, 2023

Reviewed

Oct 27, 2023

Related news

CVE-2023-41891: SQL Injection | OWASP Foundation

FlyteAdmin is the control plane for Flyte responsible for managing entities and administering workflow executions. Prior to version 1.1.124, list endpoints on FlyteAdmin have a SQL vulnerability where a malicious user can send a REST request with custom SQL statements as list filters. The attacker needs to have access to the FlyteAdmin installation, typically either behind a VPN or authentication. Version 1.1.124 contains a patch for this issue.

ghsa: Latest News

GHSA-76mw-6p95-x9x5: pac4j-core affected by a Java deserialization vulnerability
ghsa