GHSA-3gfj-fxx4-f22w

Source

https://github.com/advisories/GHSA-3gfj-fxx4-f22w

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-3gfj-fxx4-f22w/GHSA-3gfj-fxx4-f22w.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-3gfj-fxx4-f22w

Aliases

Related

CVE-2022-39352

Published

2022-11-08T22:31:25Z

Modified

2024-08-21T16:28:33.143646Z

Severity

4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

OpenFGA Authorization Bypass

Details

Overview

During our internal security assessment, it was discovered that OpenFGA versions v0.2.4 and prior are vulnerable to authorization bypass under certain conditions.

Am I Affected?

You are affected by this vulnerability if you are using openfga/openfga version v0.2.4 or prior, and have tuples where the user field is set to a userset e.g. folder:test#owner, and the tuple's relation is used on the right-hand side of a from statement.

How to fix that?

Upgrade to version 0.2.5.

Backward Compatibility

This update is not backward compatible. Any tuples where the user field is set to a userset, and the tuple's relation is used on the right-hand side of a from statement have to be rewritten.

Database specific

{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-863"
    ],
    "severity": "MODERATE",
    "github_reviewed_at": "2022-11-08T22:31:25Z",
    "nvd_published_at": "2022-11-08T08:15:00Z"
}

References

Affected packages

Go / github.com/openfga/openfga

Package

Name: github.com/openfga/openfga; View open source insights on deps.dev
Purl: pkg:golang/github.com/openfga/openfga

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.2.5

Database specific

{
    "last_known_affected_version_range": "<= 0.2.4"
}