GHSA-vj4m-83m8-xpw5

Source

https://github.com/advisories/GHSA-vj4m-83m8-xpw5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-vj4m-83m8-xpw5/GHSA-vj4m-83m8-xpw5.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-vj4m-83m8-xpw5

Aliases

Related

CVE-2022-39341

Published

2022-10-25T20:21:45Z

Modified

2024-08-21T16:28:36.412430Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

OpenFGA Authorization Bypass via tupleset wildcard

Details

Overview

During our internal security assessment, it was discovered that OpenFGA versions v0.2.3 and prior are vulnerable to authorization bypass under certain conditions.

Am I affected?

You are affected by this vulnerability if you are using openfga/openfga version v0.2.3 and you added a tuple with a wildcard (*) assigned to a tupleset relation (the right hand side of a ‘from’ statement).

How to fix that?

Upgrade to version v0.2.4.

Backward Compatibility

This update is not backward compatible with any authorization model that uses wildcard on a tupleset relation.

Database specific

{
    "nvd_published_at": "2022-10-25T17:15:00Z",
    "cwe_ids": [
        "CWE-285",
        "CWE-863"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-10-25T20:21:45Z"
}

References

Affected packages

Go / github.com/openfga/openfga

Package

Name: github.com/openfga/openfga; View open source insights on deps.dev
Purl: pkg:golang/github.com/openfga/openfga

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.2.4

Database specific

{
    "last_known_affected_version_range": "<= 0.2.3"
}