Lucene search

GitHub_MCVELIST:CVE-2022-39341

HistoryOct 25, 2022 - 12:00 a.m.

CVE-2022-39341 OpenFGA Authorization Bypass

2022-10-2500:00:00

CWE-285

GitHub_M

www.cve.org

openfga

authorization bypass

vulnerable

tupleset relations

patch

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

9.7 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

59.4%

JSON

OpenFGA is an authorization/permission engine. Versions prior to version 0.2.4 are vulnerable to authorization bypass under certain conditions. Users who have wildcard (*) defined on tupleset relations in their authorization model are vulnerable. Version 0.2.4 contains a patch for this issue.

CNA Affected

[
  {
    "vendor": "openfga",
    "product": "openfga",
    "versions": [
      {
        "version": "< 0.2.4",
        "status": "affected"
      }
    ]
  }
]

References

github.com/openfga/openfga/commit/b466769cc100b2065047786578718d313f52695b

github.com/openfga/openfga/releases/tag/v0.2.4

github.com/openfga/openfga/security/advisories/GHSA-vj4m-83m8-xpw5

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

9.7 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

59.4%

JSON

Related for CVELIST:CVE-2022-39341