GHSA-3gfj-fxx4-f22w
Suggest an improvement- Source
- https://github.com/advisories/GHSA-3gfj-fxx4-f22w
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-3gfj-fxx4-f22w/GHSA-3gfj-fxx4-f22w.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-3gfj-fxx4-f22w
- Aliases
- Published
- 2022-11-08T22:31:25Z
- Modified
- 2024-08-21T16:28:33.143646Z
- Severity
-
- 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
- Summary
- OpenFGA Authorization Bypass
- Details
-
Overview
During our internal security assessment, it was discovered that OpenFGA versions v0.2.4 and prior are vulnerable to authorization bypass under certain conditions.
Am I Affected?
You are affected by this vulnerability if you are using
openfga/openfgaversion v0.2.4 or prior, and have tuples where theuserfield is set to ausersete.g.folder:test#owner, and the tuple's relation is used on the right-hand side of afromstatement.How to fix that?
Upgrade to version 0.2.5.
Backward Compatibility
This update is not backward compatible. Any tuples where the
userfield is set to auserset, and the tuple's relation is used on the right-hand side of afromstatement have to be rewritten. - Database specific
{ "github_reviewed_at": "2022-11-08T22:31:25Z", "github_reviewed": true, "cwe_ids": [ "CWE-863" ], "nvd_published_at": "2022-11-08T08:15:00Z", "severity": "MODERATE" }- References
Affected packages
Go / github.com/openfga/openfga
Package
- Name
- github.com/openfga/openfga
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/openfga/openfga