CVE-2022-39273 — Hardcoded hashed password in github.com/flyteorg/flyteadmin

Description

Default authorization server's configuration settings contain a known hardcoded hashed password. Users who enable auth but do not override this setting may unknowingly allow public traffic in by way of this default password with attackers effectively impersonating propeller.

How to fix CVE-2022-39273

To remediate CVE-2022-39273, upgrade the affected package to a fixed version below.

—upgrade to 1.1.44 or later
—upgrade to 1.1.44 or later

Is CVE-2022-39273 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 1.1.44
>= 1.0.0, < 1.1.44

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (8)

ADVISORYgithub.com/advisories/GHSA-67x4-qr35-qvrm
ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-39273
PATCHgithub.com/flyteorg/flyteadmin
WEBdocs.flyte.org/en/latest/deployment/cluster_config/auth_setup.html#oauth2-authorization-server