Lucene search

GoogleOSV:GHSA-95X7-MH78-7W2R

HistoryOct 25, 2022 - 8:13 p.m.

OpenFGA subject to Information Disclosure via streamed-list-objects endpoint

2022-10-2520:13:38

Google

osv.dev

openfga

streaming

unauthorized access

security assessment

vulnerability

version v0.2.3

version v0.2.4

backward compatible

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

30.8%

JSON

Overview

During our internal security assessment, it was discovered that streamed-list-objects endpoint was not validating the authorization header resulting in the disclosure of objects in the store.

Am I Affected?

You are affected by this vulnerability if you are using openfga/openfga version v0.2.3 or prior and you are exposing the OpenFGA service to the internet.

How to fix that?

Upgrade to version v0.2.4.

Backward Compatibility

This update is backward compatible.

References

github.com/openfga/openfga

github.com/openfga/openfga/commit/779d73d4b6d067ee042ec9b59fec707eed71e42f

github.com/openfga/openfga/releases/tag/v0.2.4

github.com/openfga/openfga/security/advisories/GHSA-95x7-mh78-7w2r

nvd.nist.gov/vuln/detail/CVE-2022-39340

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

30.8%

JSON

Related for OSV:GHSA-95X7-MH78-7W2R