Lucene search

GitHub Advisory DatabaseGHSA-HR4F-6JH8-F2VQ

HistoryOct 18, 2023 - 6:25 p.m.

OpenFGA DoS vulnerability

2023-10-1818:25:58

CWE-400

GitHub Advisory Database

github.com

openfga

dos attack

listobjects calls

resource release

unresponsive

v1.3.4

upgrade

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

23.7%

JSON

Overview

OpenFGA is vulnerable to a DoS attack. When a number of ListObjects calls are executed, in some scenarios, those calls are not releasing resources even after a response has been sent, and the service as a whole becomes unresponsive.

Fix

Upgrade to v1.3.4. This upgrade is backwards compatible.

Affected configurations

Vulners

Node

openfgaopenfgaRange<1.3.4

VendorProductVersionCPE
openfgaopenfga*cpe:2.3:a:openfga:openfga:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
openfga	openfga	*	cpe:2.3:a:openfga:openfga::::::::

References

github.com/advisories/GHSA-hr4f-6jh8-f2vq

github.com/openfga/openfga/releases/tag/v1.3.4

github.com/openfga/openfga/security/advisories/GHSA-hr4f-6jh8-f2vq

nvd.nist.gov/vuln/detail/CVE-2023-45810

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

23.7%

JSON

Related for GHSA-HR4F-6JH8-F2VQ