Lucene search

GoogleOSV:CVE-2022-39341

HistoryOct 25, 2022 - 5:15 p.m.

CVE-2022-39341

2022-10-2517:15:56

Google

osv.dev

openfga

authorization bypass

wildcard tupleset

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.5

Confidence

High

EPSS

0.002

Percentile

59.3%

JSON

OpenFGA is an authorization/permission engine. Versions prior to version 0.2.4 are vulnerable to authorization bypass under certain conditions. Users who have wildcard (*) defined on tupleset relations in their authorization model are vulnerable. Version 0.2.4 contains a patch for this issue.

References

github.com/openfga/openfga/commit/b466769cc100b2065047786578718d313f52695b

github.com/openfga/openfga/releases/tag/v0.2.4

github.com/openfga/openfga/security/advisories/GHSA-vj4m-83m8-xpw5

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.5

Confidence

High

EPSS

0.002

Percentile

59.3%

JSON

Related for OSV:CVE-2022-39341