Lucene search

GoogleOSV:GHSA-JCF2-MXR2-GMQP

HistoryAug 25, 2023 - 7:45 p.m.

OpenFGA Authorization Bypass

2023-08-2519:45:57

Google

osv.dev

openfga

authorization bypass

listobjects

api

vulnerability

update

backward compatibility

specific models

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

28.3%

JSON

Overview

Some end users of OpenFGA v1.3.0 or earlier are vulnerable to authorization bypass when calling the ListObjects API. This means that the API sometimes returns more objects than it should.

Am I Affected?

The vulnerability affects customers using ListObjects with specific models. The affected models contain expressions of type rel1 from type1.

Fix

Update to v1.3.1.

Backward Compatibility

This update is backward compatible.

References

github.com/openfga/openfga

github.com/openfga/openfga/releases/tag/v1.3.1

github.com/openfga/openfga/security/advisories/GHSA-jcf2-mxr2-gmqp

nvd.nist.gov/vuln/detail/CVE-2023-40579

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

28.3%

JSON

Related for OSV:GHSA-JCF2-MXR2-GMQP