CVE-2022-31145: 
vulnerability analysis and mitigation

FlyteAdmin, prior to version 1.1.29, contained a vulnerability that allowed authenticated users using an external identity provider to continue using Access Tokens and ID Tokens even after their expiration. The vulnerability was discovered and disclosed in July 2022, identified as CVE-2022-31145. Users who use FlyteAdmin as the OAuth2 Authorization Server were unaffected by this issue (GitHub Advisory).

The vulnerability stemmed from insufficient validation of access token expiration in the authentication process. The issue was specifically related to the token verification logic in the external identity provider setup, where the system failed to properly verify the expiration status of Access Tokens and ID Tokens (GitHub PR).

The vulnerability allowed authenticated users to continue using expired Access Tokens and ID Tokens when using an external identity provider, potentially compromising the security of the authentication system. This could lead to unauthorized access to resources after token expiration (GitHub Advisory).

The vulnerability was patched in FlyteAdmin version 1.1.29. For systems unable to immediately update, recommended workarounds included: rotating signing keys immediately to invalidate all open sessions and force users to obtain new tokens, continuing key rotation until FlyteAdmin could be upgraded, and hiding the FlyteAdmin deployment ingress URL from the internet (GitHub Advisory).