Lucene search

GoogleOSV:GHSA-VJ4M-83M8-XPW5

HistoryOct 25, 2022 - 8:21 p.m.

OpenFGA Authorization Bypass via tupleset wildcard

2022-10-2520:21:45

Google

osv.dev

openfga

authorization bypass

tupleset

vulnerable versions

upgrade

backward compatibility

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

59.3%

JSON

Overview

During our internal security assessment, it was discovered that OpenFGA versions v0.2.3 and prior are vulnerable to authorization bypass under certain conditions.

Am I affected?

You are affected by this vulnerability if you are using openfga/openfga version v0.2.3 and you added a tuple with a wildcard (*) assigned to a tupleset relation (the right hand side of a ‘from’ statement).

How to fix that?

Upgrade to version v0.2.4.

Backward Compatibility

This update is not backward compatible with any authorization model that uses wildcard on a tupleset relation.

References

github.com/openfga/openfga

github.com/openfga/openfga/commit/b466769cc100b2065047786578718d313f52695b

github.com/openfga/openfga/releases/tag/v0.2.4

github.com/openfga/openfga/security/advisories/GHSA-vj4m-83m8-xpw5

nvd.nist.gov/vuln/detail/CVE-2022-39341

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

59.3%

JSON

Related for OSV:GHSA-VJ4M-83M8-XPW5