Lucene search

GoogleOSV:CVE-2024-31452

HistoryApr 16, 2024 - 10:15 p.m.

CVE-2024-31452

2024-04-1622:15:35

Google

osv.dev

openfga

authorization

permission

engine

vulnerability

exclusion

intersection

fixed

software

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

8 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

OpenFGA is a high-performance and flexible authorization/permission engine. Some end users of OpenFGA v1.5.0 or later are vulnerable to authorization bypass when calling Check or ListObjects APIs. You are very likely affected if your model involves exclusion (e.g. a but not b) or intersection (e.g. a and b). This vulnerability is fixed in v1.5.3.

CPENameOperatorVersion
openfgaeq0.3.6
openfgaeq1.1.1
openfgaeq0.1.0
openfgaeq0.3.5
openfgaeq1.1.0
openfgaeq0.2.4
openfgaeq1.3.6
openfgaeq1.4.3
openfgaeq0.4.0
openfgaeq1.3.8

Name	Operator	Version
openfga	eq	0.3.6
openfga	eq	1.1.1
openfga	eq	0.1.0
openfga	eq	0.3.5
openfga	eq	1.1.0
openfga	eq	0.2.4
openfga	eq	1.3.6
openfga	eq	1.4.3
openfga	eq	0.4.0
openfga	eq	1.3.8

Rows per page:

1-10 of 481

References

github.com/openfga/openfga/commit/b6a6d99b2bdbf8c3781503989576076289f48ed2

github.com/openfga/openfga/security/advisories/GHSA-8cph-m685-6v6r

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

8 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for OSV:CVE-2024-31452