Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS05NXg3LW1oNzgtN3cycs4AAvig

OpenFGA subject to Information Disclosure via streamed-list-objects endpoint

Overview

During our internal security assessment, it was discovered that streamed-list-objects endpoint was not validating the authorization header resulting in the disclosure of objects in the store.

Am I Affected?

You are affected by this vulnerability if you are using openfga/openfga version v0.2.3 or prior and you are exposing the OpenFGA service to the internet.

How to fix that?

Upgrade to version v0.2.4.

Backward Compatibility

This update is backward compatible.

Permalink: https://github.com/advisories/GHSA-95x7-mh78-7w2r
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05NXg3LW1oNzgtN3cycs4AAvig
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: over 1 year ago


CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Percentage: 0.00071
EPSS Percentile: 0.325

Identifiers: GHSA-95x7-mh78-7w2r, CVE-2022-39340
References: Repository: https://github.com/openfga/openfga
Blast Radius: 1.0

Affected Packages

go:github.com/openfga/openfga
Dependent packages: 0
Dependent repositories: 0
Downloads:
Affected Version Ranges: <= 0.2.3
Fixed in: 0.2.4
All affected versions: 0.0.1, 0.0.2, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.2.0, 0.2.1, 0.2.2, 0.2.3
All unaffected versions: 0.2.4, 0.2.5, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 1.3.10, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.9, 1.6.0, 1.6.1, 1.6.2, 1.7.0, 1.8.0