Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1ocjlyLThwaHEtNXg4as4AA0IN
OpenFGA vulnerable to denial of service due to circular relationship
Overview
OpenFGA versions v1.1.0 and prior are vulnerable to a DoS attack when certain Check and ListObjects calls are executed against authorization models that contain circular relationship definitions.
Am I Affected?
You are affected by this vulnerability if you are using OpenFGA v1.1.0 or earlier, and if you are executing certain Check or ListObjects calls against a vulnerable authorization model. To see which of your models could be vulnerable to this attack, download OpenFGA v1.2.0 and run the following command:
./openfga validate-models --datastore-engine <ENGINE> --datastore-uri <URI> | jq .[] | select(.Error | contains("loop"))
replacing the variables <ENGINE> and <URI> as needed.
Fix
Upgrade to v1.1.1.
Backward Compatibility
If you are not passing an invalid authorization model (as identified by running ./openfga validate-models) as a parameter of your Check and ListObjects calls, this upgrade is backwards compatible.
Otherwise, OpenFGA v1.1.1 will start returning HTTP 400 status codes on those calls.
Permalink: https://github.com/advisories/GHSA-hr9r-8phq-5x8jJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ocjlyLThwaHEtNXg4as4AA0IN
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 10 months ago
Updated: 6 months ago
CVSS Score: 5.9
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-hr9r-8phq-5x8j, CVE-2023-35933
References:
- https://github.com/openfga/openfga/security/advisories/GHSA-hr9r-8phq-5x8j
- https://nvd.nist.gov/vuln/detail/CVE-2023-35933
- https://github.com/openfga/openfga/commit/087ce392595f3c319ab3028b5089118ea4063452
- https://openfga.dev/api/service#/Relationship%20Queries/Check
- https://openfga.dev/api/service#/Relationship%20Queries/ListObjects
- https://github.com/advisories/GHSA-hr9r-8phq-5x8j
Blast Radius: 1.0
Affected Packages
go:github.com/openfga/openfga
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: < 1.1.1
Fixed in: 1.1.1
All affected versions: 0.0.1, 0.0.2, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 1.0.0, 1.0.1, 1.1.0
All unaffected versions: 1.1.1, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 1.3.10, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.5.0, 1.5.1, 1.5.2, 1.5.3