OpenFGA is an authorization/permission engine. OpenFGA v1.5.7 and v1.5.8 are vulnerable to authorization bypass when calling Check API with a model that uses but not and from expressions and a userset. Users should downgrade to v1.5.6 as soon as possible. This downgrade is backward compatible. As of time of publication, a patch is not available but OpenFGA's maintainers are planning a patch for inclusion in a future release.
{
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-863"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/42xxx/CVE-2024-42473.json"
}{
"extracted_events": [
{
"introduced": "1.5.7"
},
{
"last_affected": "1.5.8"
},
{
"last_affected": "1.5.7"
},
{
"introduced": "1.5.8"
}
],
"cpe": [
"cpe:2.3:a:openfga:openfga:1.5.7:*:*:*:*:*:*:*",
"cpe:2.3:a:openfga:openfga:1.5.8:*:*:*:*:*:*:*"
],
"source": [
"AFFECTED_FIELD",
"CPE_STRING"
]
}