Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12ajRtLTgzbTgteHB3Nc4AAvii
OpenFGA Authorization Bypass via tupleset wildcard
Overview
During our internal security assessment, it was discovered that OpenFGA versions v0.2.3
and prior are vulnerable to authorization bypass under certain conditions.
Am I affected?
You are affected by this vulnerability if you are using openfga/openfga
version v0.2.3
and you added a tuple with a wildcard (*) assigned to a tupleset relation (the right hand side of a ‘from’ statement).
How to fix that?
Upgrade to version v0.2.4
.
Backward Compatibility
This update is not backward compatible with any authorization model that uses wildcard on a tupleset relation.
Permalink: https://github.com/advisories/GHSA-vj4m-83m8-xpw5JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12ajRtLTgzbTgteHB3Nc4AAvii
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: over 1 year ago
CVSS Score: 5.9
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Identifiers: GHSA-vj4m-83m8-xpw5, CVE-2022-39341
References:
- https://github.com/openfga/openfga/security/advisories/GHSA-vj4m-83m8-xpw5
- https://nvd.nist.gov/vuln/detail/CVE-2022-39341
- https://github.com/openfga/openfga/commit/b466769cc100b2065047786578718d313f52695b
- https://github.com/openfga/openfga/releases/tag/v0.2.4
- https://github.com/advisories/GHSA-vj4m-83m8-xpw5
Blast Radius: 1.0
Affected Packages
go:github.com/openfga/openfga
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: <= 0.2.3
Fixed in: 0.2.4
All affected versions: 0.0.1, 0.0.2, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.2.0, 0.2.1, 0.2.2, 0.2.3
All unaffected versions: 0.2.4, 0.2.5, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 1.3.10, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.9, 1.6.0, 1.6.1, 1.6.2, 1.7.0, 1.8.0