blob: 97663471d979c6ecca8ad5aebf43f9e970f2403a [file] [log] [blame]
id: GO-2022-1043
modules:
- module: github.com/flyteorg/flyteadmin
versions:
- introduced: 1.0.0
- fixed: 1.1.44
vulnerable_at: 1.1.43
packages:
- package: github.com/flyteorg/flyteadmin/auth/config
summary: Hardcoded hashed password in github.com/flyteorg/flyteadmin
description: |-
Default authorization server's configuration settings contain a known hardcoded
hashed password.
Users who enable auth but do not override this setting may unknowingly allow
public traffic in by way of this default password with attackers effectively
impersonating propeller.
cves:
- CVE-2022-39273
ghsas:
- GHSA-67x4-qr35-qvrm
references:
- advisory: https://github.com/advisories/GHSA-67x4-qr35-qvrm
- fix: https://github.com/flyteorg/flyteadmin/pull/478
- web: https://docs.flyte.org/en/latest/deployment/cluster_config/auth_setup.html#oauth2-authorization-server
review_status: REVIEWED