GHSA-m3q4-7qmj-657m
Suggest an improvement- Source
- https://github.com/advisories/GHSA-m3q4-7qmj-657m
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-m3q4-7qmj-657m/GHSA-m3q4-7qmj-657m.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-m3q4-7qmj-657m
- Aliases
- Published
- 2022-12-20T19:33:27Z
- Modified
- 2024-08-21T16:28:31.301605Z
- Summary
- OpenFGA Authorization Bypass
- Details
-
Overview
During our internal security assessment, it was discovered that OpenFGA versions v0.3.0 is vulnerable to authorization bypass under certain conditions.
Am I Affected?
You are affected by this vulnerability if all of the following applies:
- You are using OpenFGA v0.3.0
- You created a model using modeling language v1.1 that applies a type restriction to an object e.g.
define viewer: [user] - You created tuples based on the aforementioned model, e.g.
document:1#viewer@user:jon - You updated the previous model by adding a new type and replacing the previous restriction with the newly added type e.g.
define viewer: [employee] - You use the tuples created against the first model (step 3) and issue checks against the updated model e.g.
user=user:jon, relation=viewer, object:document:1
How to fix that?
Upgrade to version v0.3.1
Backward Compatibility
This update is backward compatible.
- Database specific
{ "nvd_published_at": "2022-12-20T21:15:00Z", "severity": "HIGH", "github_reviewed_at": "2022-12-20T19:33:27Z", "github_reviewed": true, "cwe_ids": [ "CWE-285" ] }- References
Affected packages
Go / github.com/openfga/openfga
Package
- Name
- github.com/openfga/openfga
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/openfga/openfga