CVE-2023-41891: 
vulnerability analysis and mitigation

FlyteAdmin, the control plane for Flyte responsible for managing entities and administering workflow executions, was found to contain a SQL injection vulnerability (CVE-2023-41891). Prior to version 1.1.124, list endpoints on FlyteAdmin were vulnerable to SQL injection attacks where a malicious user could send REST requests with custom SQL statements as list filters. The vulnerability was discovered and disclosed in October 2023 (NVD).

The vulnerability exists in the list endpoints functionality of FlyteAdmin where input validation was insufficient for list filters. This allowed attackers to inject custom SQL statements through REST request parameters. The vulnerability has a CVSS v3.1 base score of 8.8 (HIGH) according to NVD assessment, with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. However, GitHub's assessment rated it as LOW severity with a CVSS score of 3.5 (GitHub Advisory).

The vulnerability could potentially allow attackers to read sensitive data from the database, modify database data, or execute administrative operations on the database. SQL injection attacks can lead to unauthorized data access, data manipulation, and potential system compromise (OWASP).

The vulnerability has been patched in FlyteAdmin version 1.1.124. Users should upgrade to this version or later to protect against this vulnerability. The fix was implemented through a patch that addresses the SQL injection vulnerability in list filters (GitHub Patch).