GHSA-hr9r-8phq-5x8j

Suggest an improvement
Source
https://github.com/advisories/GHSA-hr9r-8phq-5x8j
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-hr9r-8phq-5x8j/GHSA-hr9r-8phq-5x8j.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-hr9r-8phq-5x8j
Aliases
Published
2023-06-28T22:49:49Z
Modified
2023-11-08T04:12:54.656803Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
OpenFGA vulnerable to denial of service due to circular relationship
Details

Overview

OpenFGA versions v1.1.0 and prior are vulnerable to a DoS attack when certain Check and ListObjects calls are executed against authorization models that contain circular relationship definitions.

Am I Affected?

You are affected by this vulnerability if you are using OpenFGA v1.1.0 or earlier, and if you are executing certain Check or ListObjects calls against a vulnerable authorization model. To see which of your models could be vulnerable to this attack, download OpenFGA v1.2.0 and run the following command:

./openfga validate-models --datastore-engine <ENGINE> --datastore-uri <URI> | jq .[] | select(.Error | contains("loop"))

replacing the variables <ENGINE> and <URI> as needed.

Fix

Upgrade to v1.1.1.

Backward Compatibility

If you are not passing an invalid authorization model (as identified by running ./openfga validate-models) as a parameter of your Check and ListObjects calls, this upgrade is backwards compatible.

Otherwise, OpenFGA v1.1.1 will start returning HTTP 400 status codes on those calls.

References

Affected packages

Go / github.com/openfga/openfga

Package

Name
github.com/openfga/openfga
View open source insights on deps.dev
Purl
pkg:golang/github.com/openfga/openfga

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.1.1