CVE-2024-23820 OpenFGA DoS

2024-01-2616:37:27

CWE-770

GitHub_M

www.cve.org

openfga

authorization engine

denial of service

memory error

out of memory

vulnerability

patch

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

30.8%

JSON

OpenFGA, an authorization/permission engine, is vulnerable to a denial of service attack in versions prior to 1.4.3. In some scenarios that depend on the model and tuples used, a call to ListObjects may not release memory properly. So when a sufficiently high number of those calls are executed, the OpenFGA server can create an out of memory error and terminate. Version 1.4.3 contains a patch for this issue.

CNA Affected

[
  {
    "vendor": "openfga",
    "product": "openfga",
    "versions": [
      {
        "version": "< 1.4.3",
        "status": "affected"
      }
    ]
  }
]