Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS12ajRtLTgzbTgteHB3Nc4AAvii

OpenFGA Authorization Bypass via tupleset wildcard

Overview

During our internal security assessment, it was discovered that OpenFGA versions v0.2.3 and prior are vulnerable to authorization bypass under certain conditions.

Am I affected?

You are affected by this vulnerability if you are using openfga/openfga version v0.2.3 and you added a tuple with a wildcard (*) assigned to a tupleset relation (the right hand side of a ‘from’ statement).

How to fix that?

Upgrade to version v0.2.4.

Backward Compatibility

This update is not backward compatible with any authorization model that uses wildcard on a tupleset relation.

Permalink: https://github.com/advisories/GHSA-vj4m-83m8-xpw5
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12ajRtLTgzbTgteHB3Nc4AAvii
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 1 year ago
Updated: 10 months ago

CVSS Score: 5.9
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Identifiers: GHSA-vj4m-83m8-xpw5, CVE-2022-39341
References:

Repository: https://github.com/openfga/openfga
Blast Radius: 1.0

Affected Packages

go:github.com/openfga/openfga

Dependent packages: 0
Dependent repositories: 0
Downloads:
Affected Version Ranges: <= 0.2.3
Fixed in: 0.2.4
All affected versions: 0.0.1, 0.0.2, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.2.0, 0.2.1, 0.2.2, 0.2.3
All unaffected versions: 0.2.4, 0.2.5, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 1.3.10, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.5.0, 1.5.1, 1.5.2, 1.5.3