Lucene search

GoogleOSV:CVE-2022-39342

HistoryOct 25, 2022 - 5:15 p.m.

CVE-2022-39342

2022-10-2517:15:56

Google

osv.dev

openfga

authorization bypass

vulnerability

version 0.2.4

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.5

Confidence

High

EPSS

0.002

Percentile

59.3%

JSON

OpenFGA is an authorization/permission engine. Versions prior to version 0.2.4 are vulnerable to authorization bypass under certain conditions. Users whose model has a relation defined as a tupleset (the right hand side of a ‘from’ statement) that involves anything other than a direct relationship (e.g. ‘as self’) are vulnerable. Version 0.2.4 contains a patch for this issue.

References

github.com/openfga/openfga/commit/c8db1ee3d2a366f18e585dd33236340e76e784c4

github.com/openfga/openfga/releases/tag/v0.2.4

github.com/openfga/openfga/security/advisories/GHSA-f4mm-2r69-mg5f

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.5

Confidence

High

EPSS

0.002

Percentile

59.3%

JSON

Related for OSV:CVE-2022-39342