Lucene search

GitHub_MCVELIST:CVE-2022-39342

HistoryOct 25, 2022 - 12:00 a.m.

CVE-2022-39342 OpenFGA Authorization Bypass

2022-10-2500:00:00

CWE-285

GitHub_M

www.cve.org

openfga

authorization bypass

cve-2022-39342

vulnerability

tupleset

patch

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

9.7 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

59.4%

JSON

OpenFGA is an authorization/permission engine. Versions prior to version 0.2.4 are vulnerable to authorization bypass under certain conditions. Users whose model has a relation defined as a tupleset (the right hand side of a ‘from’ statement) that involves anything other than a direct relationship (e.g. ‘as self’) are vulnerable. Version 0.2.4 contains a patch for this issue.

CNA Affected

[
  {
    "vendor": "openfga",
    "product": "openfga",
    "versions": [
      {
        "version": "< 0.2.4",
        "status": "affected"
      }
    ]
  }
]

References

github.com/openfga/openfga/commit/c8db1ee3d2a366f18e585dd33236340e76e784c4

github.com/openfga/openfga/releases/tag/v0.2.4

github.com/openfga/openfga/security/advisories/GHSA-f4mm-2r69-mg5f

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

9.7 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

59.4%

JSON

Related for CVELIST:CVE-2022-39342