GHSA-f4mm-2r69-mg5f

Source

https://github.com/advisories/GHSA-f4mm-2r69-mg5f

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-f4mm-2r69-mg5f/GHSA-f4mm-2r69-mg5f.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-f4mm-2r69-mg5f

Aliases

Related

CVE-2022-39342

Published

2022-10-25T20:21:33Z

Modified

2024-08-21T16:28:51.215245Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

OpenFGA Authorization Bypass

Details

Overview

During our internal security assessment, it was discovered that OpenFGA versions v0.2.3 and prior are vulnerable to authorization bypass under certain conditions.

Am I Affected?

You are affected by this vulnerability if you are using openfga/openfga version v0.2.3 or prior, and your model has a relation defined as a tupleset (the right hand side of a ‘from’ statement) that involves anything other than a direct relationship (e.g. ‘as self’)

How to fix that?

Upgrade to version v0.2.4.

Backward Compatibility

This update is not backward compatible. Any model involving rewritten tupleset relations will no longer be acceptable and has to be modified.

Database specific

{
    "nvd_published_at": "2022-10-25T17:15:00Z",
    "cwe_ids": [
        "CWE-285",
        "CWE-863"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-10-25T20:21:33Z"
}

References

Affected packages

Go / github.com/openfga/openfga

Package

Name: github.com/openfga/openfga; View open source insights on deps.dev
Purl: pkg:golang/github.com/openfga/openfga

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.2.4

Database specific

{
    "last_known_affected_version_range": "<= 0.2.3"
}