Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS1yeHB3LTg1dnctZng4N84AA45T

Moderate EPSS: 0.00069% (0.21676 Percentile) EPSS:
Permalink JSON

OpenFGA denial of service

Affected Packages Affected Versions Fixed Versions
go:github.com/openfga/openfga < 1.4.3 1.4.3
0 Dependent packages
0 Dependent repositories

Affected Version Ranges

All affected versions

0.0.1, 0.0.2, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 1.3.10, 1.4.0, 1.4.1, 1.4.2

All unaffected versions

1.4.3, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.9, 1.6.0, 1.6.1, 1.6.2, 1.7.0, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.8.6, 1.8.7, 1.8.8, 1.8.9, 1.8.10, 1.8.11, 1.8.12, 1.8.13, 1.8.14, 1.8.15, 1.8.16, 1.9.0, 1.9.2

Overview

OpenFGA is vulnerable to a DoS attack. In some scenarios that depend on the model and tuples used, a call to ListObjects may not release memory properly. So when a sufficiently high number of those calls are executed, the OpenFGA server can create an "out of memory" error and terminate.

Fix

Upgrade to v1.4.3. This upgrade is backwards compatible.

References:

Identifiers

GHSA-rxpw-85vw-fx87

CVE-2024-23820

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.00069

EPSS Percentile: 0.21676

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/openfga/openfga

Date and time

Published

over 1 year ago

Updated

over 1 year ago

API

JSON