CVE-2023-41891

LOW

flyteadmin < 1.1.124 - Authenticated SQL Injection via List Endpoint Filters

Title source: llm
STIX 2.1

Description

FlyteAdmin is the control plane for Flyte responsible for managing entities and administering workflow executions. Prior to version 1.1.124, list endpoints on FlyteAdmin have a SQL vulnerability where a malicious user can send a REST request with custom SQL statements as list filters. The attacker needs to have access to the FlyteAdmin installation, typically either behind a VPN or authentication. Version 1.1.124 contains a patch for this issue.

References (3)

Core 3

Scores

CVSS v3 3.5
EPSS 0.0093
EPSS Percentile 56.2%
Attack Vector ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-89
Status published
Products (2)
flyte/flyteadmin < 1.1.124
flyteorg/flyteadmin 0 - 1.1.124Go
Published Oct 30, 2023
Tracked Since Feb 18, 2026