CVE-2022-36085
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-36085
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-36085.json
- Aliases
- Published
- 2022-09-08T14:15:08Z
- Modified
- 2023-11-29T09:49:12.058066Z
- Details
-
Open Policy Agent (OPA) is an open source, general-purpose policy engine. The Rego compiler provides a (deprecated)
WithUnsafeBuiltinsfunction, which allows users to provide a set of built-in functions that should be deemed unsafe — and as such rejected — by the compiler if encountered in the policy compilation stage. A bypass of this protection has been found, where the use of thewithkeyword to mock such a built-in function (a feature introduced in OPA v0.40.0), isn’t taken into account byWithUnsafeBuiltins. Multiple conditions need to be met in order to create an adverse effect. Version 0.43.1 contains a patch for this issue. As a workaround, avoid using theWithUnsafeBuiltinsfunction and use thecapabilitiesfeature instead. - References
-
- https://github.com/open-policy-agent/opa/security/advisories/GHSA-f524-rf33-2jjr
- https://github.com/open-policy-agent/opa/pull/4540
- https://github.com/open-policy-agent/opa/pull/4616
- https://github.com/open-policy-agent/opa/commit/25a597bc3f4985162e7f65f9c36599f4f8f55823
- https://github.com/open-policy-agent/opa/commit/3e8c754ed007b22393cf65e48751ad9f6457fee8
- https://github.com/open-policy-agent/opa/releases/tag/v0.43.1
Affected packages
Git / github.com/open-policy-agent/opa
Affected ranges
- Type
- GIT
- Repo
- https://github.com/open-policy-agent/opa
- Events
-
Introduced0The exact introduced commit is unknownFixedFixed
Affected versions
v0.*
v0.1.0
v0.1.0-rc1
v0.1.0-rc2
v0.1.0-rc3
v0.10.0
v0.10.1
v0.10.2
v0.10.3
v0.10.4
v0.10.5
v0.10.6
v0.10.7
v0.11.0
v0.12.0
v0.13.0
v0.14.0
v0.15.0
v0.15.1
v0.16.0
v0.17.0
v0.17.1
v0.17.2
v0.18.0
v0.19.0
v0.19.0-rc1
v0.19.1
v0.2.0
v0.2.1
v0.2.2
v0.20.0
v0.20.1
v0.20.2
v0.21.0
v0.22.0
v0.23.0
v0.24.0
v0.25.0
v0.25.0-rc1
v0.25.0-rc3
v0.25.0-rc4
v0.25.1
v0.25.2
v0.26.0
v0.27.0
v0.27.1
v0.28.0
v0.29.0
v0.29.1
v0.29.2
v0.29.3
v0.29.4
v0.3.0
v0.3.1
v0.30.0
v0.30.0-rc0
v0.30.1
v0.31.0
v0.32.0
v0.33.0
v0.34.0
v0.35.0
v0.36.0
v0.37.0
v0.38.0
v0.39.0
v0.4.0
v0.4.1
v0.4.10
v0.4.2
v0.4.3
v0.4.4
v0.4.5
v0.4.6
v0.4.7
v0.4.8
v0.4.9
v0.40.0
v0.41.0
v0.42.0
v0.43.0
v0.5.0
v0.5.1
v0.5.10
v0.5.11
v0.5.12
v0.5.13
v0.5.2
v0.5.3
v0.5.4
v0.5.5
v0.5.6
v0.5.7
v0.5.8
v0.5.9
v0.6.0
v0.7.0
v0.7.1
v0.8.0
v0.8.1
v0.8.2
v0.9.0
v0.9.1
v0.9.2
v0.9.3-rc1
v0.9.3-rc2
v0.9.3-rc3