GHSA-g4v5-6f5p-m38j
Suggest an improvement- Source
- https://github.com/advisories/GHSA-g4v5-6f5p-m38j
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-g4v5-6f5p-m38j/GHSA-g4v5-6f5p-m38j.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-g4v5-6f5p-m38j
- Aliases
- Related
- Published
- 2025-02-19T20:25:22Z
- Modified
- 2025-03-03T19:42:02.534219Z
- Severity
-
- 5.8 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H CVSS Calculator
- Summary
- OpenFGA Authorization Bypass
- Details
-
Overview OpenFGA v1.8.4 or previous (Helm chart < openfga-0.2.22, docker < v.1.8.5) are vulnerable to authorization bypass when certain Check and ListObject calls are executed.
Am I Affected? If you are using OpenFGA v1.8.4 or previous, specifically under the following conditions, you are affected by this authorization bypass vulnerability:
- Calling Check API or ListObjects with a model that has a relation directly assignable to both public access AND userset with the same type, and
- A type bound public access tuple is assigned to an object, and
- userset tuple is not assigned to the same object, and
- Check request's user field is a userset that has the same type as the type bound public access tuple's user type
Fix Upgrade to v1.8.5. This upgrade is backwards compatible.
- Database specific
{ "nvd_published_at": "2025-02-19T21:15:15Z", "cwe_ids": [ "CWE-285" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2025-02-19T20:25:22Z" }- References
Affected packages
Go / github.com/openfga/openfga
Package
- Name
- github.com/openfga/openfga
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/openfga/openfga