CVE-2023-41891
low-risk
Published 2023-10-30
FlyteAdmin is the control plane for Flyte responsible for managing entities and administering workflow executions. Prior to version 1.1.124, list endpoints on FlyteAdmin have a SQL vulnerability where a malicious user can send a REST request with custom SQL statements as list filters. The attacker needs to have access to the FlyteAdmin installation, typically either behind a VPN or authentication. Version 1.1.124 contains a patch for this issue.
Do I need to act?
-
0.33% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
3
CVSS 3.5/10
Low
ADJACENT_NETWORK
/ LOW complexity
Affected Products (1)
Flyteadmin
Affected Vendors
References (6)
Third Party Advisory
https://github.com/flyteorg/flyteadmin/security/advisories/GHSA-r847-6w6h-r8g4
Third Party Advisory
https://owasp.org/www-community/attacks/SQL_Injection#
Third Party Advisory
https://github.com/flyteorg/flyteadmin/security/advisories/GHSA-r847-6w6h-r8g4
Third Party Advisory
https://owasp.org/www-community/attacks/SQL_Injection#
19
/ 100
low-risk
Severity
13/34 · Low
Exploitability
1/34 · Minimal
Exposure
5/34 · Minimal