CVE-2022-31145 is a vulnerability classified under CWE-613 (Insufficient Session Expiration) affecting flyteorg's FlyteAdmin control plane, specifically versions 1.1.30 and earlier. FlyteAdmin is responsible for managing entities and administering workflow executions within the Flyte platform. The vulnerability arises when FlyteAdmin is configured to use an external identity provider for authentication. In this scenario, authenticated users can continue to use Access Tokens and ID Tokens even after their expiration time has passed. This means that session tokens remain valid beyond their intended lifespan, potentially allowing unauthorized continued access if tokens are compromised or if users do not log out properly. Notably, this issue does not affect users who use FlyteAdmin as the OAuth2 Authorization Server itself, as token expiration is properly enforced in that configuration. The root cause is insufficient session expiration enforcement, which violates best practices for session management and token lifecycle. A patch addressing this issue is available on the master branch of the FlyteAdmin repository. As an interim mitigation, rotating signing keys immediately invalidates all existing tokens, forcing users to obtain new tokens and effectively terminating lingering sessions. It is recommended to continue rotating keys until the patched FlyteAdmin version is deployed. Additionally, restricting FlyteAdmin ingress URLs from exposure to the internet reduces the attack surface. There are no known exploits in the wild reported for this vulnerability as of the publication date (July 13, 2022).

For European organizations using FlyteAdmin versions 1.1.30 or earlier with external identity providers, this vulnerability can lead to prolonged unauthorized access if tokens are compromised or sessions are not properly terminated. Attackers or malicious insiders could exploit expired tokens to maintain access to workflow management and execution controls, potentially leading to unauthorized data access, manipulation of workflows, or disruption of automated processes. This undermines confidentiality and integrity of sensitive operational data and may impact availability if workflows are maliciously altered or halted. The impact is particularly significant for organizations relying on FlyteAdmin for critical data processing pipelines, such as financial institutions, healthcare providers, and research organizations. However, since exploitation requires possession of valid tokens and the vulnerability does not allow token forgery or privilege escalation, the risk is somewhat mitigated by existing authentication controls. The lack of known exploits suggests limited active targeting, but the potential for session hijacking or token replay attacks remains a concern. The vulnerability does not affect users relying on FlyteAdmin as the OAuth2 Authorization Server, reducing the scope of impact for some deployments.

1. Upgrade FlyteAdmin to a version beyond 1.1.30 that includes the official patch addressing token expiration enforcement. 2. Immediately rotate signing keys used for token validation to invalidate all existing tokens and force re-authentication. Continue key rotation until the patched version is deployed. 3. Restrict FlyteAdmin ingress URLs from exposure to the public internet by implementing network segmentation, firewall rules, or VPN access controls to limit access to trusted internal networks. 4. Monitor authentication logs for unusual token reuse or prolonged session activity beyond normal token lifetimes. 5. Review and tighten session management policies in the external identity provider to ensure tokens are revoked or invalidated promptly upon logout or expiration. 6. Educate users and administrators on the importance of logging out and not sharing tokens. 7. Implement additional multi-factor authentication (MFA) where possible to reduce risk from token compromise. 8. Conduct regular security assessments and penetration testing focused on session management and token handling within FlyteAdmin deployments.