CVE-2024-8260 OPA SMB Force-Authentication

2024-08-3012:22:45

CWE-294

tenable

www.cve.org

smb

opa

windows

vulnerability

authentication

CVSS3

6.1

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L

EPSS

Percentile

9.5%

JSON

A SMB force-authentication vulnerability exists in all versions of OPA for Windows prior to v0.68.0. The vulnerability exists because of improper input validation, allowing a user to pass an arbitrary SMB share instead of a Rego file as an argument to OPA CLI or to one of the OPA Go library’s functions.

CNA Affected

[
  {
    "collectionURL": "https://github.com/open-policy-agent/opa",
    "defaultStatus": "unaffected",
    "product": "OPA",
    "vendor": "Styra",
    "versions": [
      {
        "lessThan": "v0.68.0",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  }
]