GSA_kwCzR0hTQS04Y3BoLW02ODUtNnY2cs4AA7DZ

High EPSS: 0.00024% (0.04948 Percentile) EPSS:

Permalink JSON

OpenFGA Authorization Bypass

Affected Packages	Affected Versions	Fixed Versions
go:github.com/openfga/openfga	>= 1.5.0, < 1.5.3	1.5.3
0 Dependent packages 0 Dependent repositories Affected Version Ranges All affected versions 1.5.0, 1.5.1, 1.5.2 All unaffected versions 0.0.1, 0.0.2, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 1.3.10, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.9, 1.6.0, 1.6.1, 1.6.2, 1.7.0, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.8.6, 1.8.7, 1.8.8, 1.8.9, 1.8.10, 1.8.11, 1.8.12, 1.8.13, 1.8.14, 1.8.15, 1.8.16, 1.9.0, 1.9.2

Overview

Some end users of OpenFGA v1.5.0 or later are vulnerable to authorization bypass when calling Check or ListObjects APIs.

Am I Affected?

You are very likely affected if your model involves exclusion (e.g. a but not b) or intersection (e.g. a and b) and you have any cyclical relationships. If you are using these, please update as soon as possible.

Fix

Update to v1.5.3

Backward Compatibility

This update is backward compatible.

References:

Identifiers

GHSA-8cph-m685-6v6r

CVE-2024-31452

Risk

Severity

High

EPSS

EPSS Percentage: 0.00024

EPSS Percentile: 0.04948

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/openfga/openfga

Date and time

Published

over 1 year ago

Updated

over 1 year ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories