Lucene search

GitHub Advisory DatabaseGHSA-C77R-FH37-X2PX

HistoryAug 30, 2024 - 3:31 p.m.

OPA for Windows has an SMB force-authentication vulnerability

2024-08-3015:31:30

CWE-294

GitHub Advisory Database

github.com

opa

windows

smb

force-authentication

vulnerability

input validation

opa cli

opa go library

software

CVSS3

7.3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

AI Score

7.1

Confidence

High

JSON

A SMB force-authentication vulnerability exists in all versions of OPA for Windows prior to v0.68.0. The vulnerability exists because of improper input validation, allowing a user to pass an arbitrary SMB share instead of a Rego file as an argument to OPA CLI or to one of the OPA Go library’s functions.

Affected configurations

Vulners

Node

open-policy-agentopaRange<0.68.0

VendorProductVersionCPE
open-policy-agentopa*cpe:2.3:a:open-policy-agent:opa:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
open-policy-agent	opa	*	cpe:2.3:a:open-policy-agent:opa::::::::

References

github.com/advisories/GHSA-c77r-fh37-x2px

github.com/open-policy-agent/opa/commit/10f4d553e6bb6ae9c69611ecdd9a77dda857070e

github.com/open-policy-agent/opa/releases/tag/v0.68.0

nvd.nist.gov/vuln/detail/CVE-2024-8260

pkg.go.dev/vuln/GO-2024-3141

www.tenable.com/security/research/tra-2024-36

CVSS3

7.3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

AI Score

7.1

Confidence

High

JSON

Related for GHSA-C77R-FH37-X2PX