CVE-2023-41891: Flyte Admin SQL Injection in List Filters

October 27, 2023 (updated October 29, 2023)

Impact List endpoints on Flyte Admin has a SQL vulnerability where a malicious user can send a REST requests with custom SQL statements as list filters. Workarounds The attacker needs to have access to the flyteadmin installation (typically either behind a VPN or authentication).

References

github.com/advisories/GHSA-r847-6w6h-r8g4
github.com/flyteorg/flyteadmin/commit/b3177ef70f068e908140b8a4a9913dfa74f289fd
github.com/flyteorg/flyteadmin/security/advisories/GHSA-r847-6w6h-r8g4

Detect and mitigate CVE-2023-41891 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →