Lucene search

GoogleOSV:GO-2022-0316

HistoryJul 27, 2022 - 8:27 p.m.

Incorrect calculation in github.com/open-policy-agent/opa

2022-07-2720:27:33

Google

osv.dev

github

open policy agent

ast

synthetic nodes

logic change

software

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

AI Score

6.8

Confidence

High

EPSS

0.001

Percentile

50.7%

JSON

Pretty-printing an AST that contains synthetic nodes can change the logic of some statements by reordering array literals.

References

github.com/open-policy-agent/opa/commit/2bd8edab9e10e2dc9cf76ae8335ced0c224f3055

github.com/open-policy-agent/opa/commit/932e4ffc37a590ace79e9b75ca4340288c220239

github.com/open-policy-agent/opa/security/advisories/GHSA-hcw3-j74m-qc58

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

AI Score

6.8

Confidence

High

EPSS

0.001

Percentile

50.7%

JSON

Related for OSV:GO-2022-0316