15 matches found
EUVD-2023-2315
Malicious code in bioql PyPI...
CVE-2024-31452
OpenFGA is a high-performance and flexible authorization/permission engine. Some end users of OpenFGA v1.5.0 or later are vulnerable to authorization bypass when calling Check or ListObjects APIs. You are very likely affected if your model involves exclusion e.g. a but not b or intersection e.g. ...
Authentication Bypass
github.com/openfga/openfga is vulnerable to Authorization Bypass. The vulnerability is due to improper validation of conditions and contextual tuples when using the Check API or ListObjects API, particularly when caching is enabled OPENFGACHECKQUERYCACHEENABLED, allows attackers to potentially...
CVE-2024-56323 OpenFGA Authorization Bypass
OpenFGA is an authorization/permission engine. IN OpenFGA v1.3.8 to v1.8.2 Helm chart openfga-0.1.38 to openfga-0.2.19, docker v1.3.8 to v.1.8.2 are vulnerable to authorization bypass under the following conditions: 1. calling Check API or ListObjects with a model that uses conditions, and 2...
GHSA-32Q6-RR98-CJQV OpenFGA Authorization Bypass
Overview OpenFGA v1.3.8 to v1.8.2 Helm chart openfga-0.1.38 to openfga-0.2.19, docker v1.3.8 to v.1.8.2 are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Am I Affected? You are affected by this authorization bypass vulnerability if you are using OpenFGA...
OpenFGA Authorization Bypass
Overview OpenFGA v1.3.8 to v1.8.2 Helm chart openfga-0.1.38 to openfga-0.2.19, docker v1.3.8 to v.1.8.2 are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Am I Affected? You are affected by this authorization bypass vulnerability if you are using OpenFGA...
GHSA-8CPH-M685-6V6R OpenFGA Authorization Bypass
Overview Some end users of OpenFGA v1.5.0 or later are vulnerable to authorization bypass when calling Check or ListObjects APIs. Am I Affected? You are very likely affected if your model involves exclusion e.g. a but not b or intersection e.g. a and b and you have any cyclical relationships. If...
OpenFGA Authorization Bypass
Overview Some end users of OpenFGA v1.5.0 or later are vulnerable to authorization bypass when calling Check or ListObjects APIs. Am I Affected? You are very likely affected if your model involves exclusion e.g. a but not b or intersection e.g. a and b and you have any cyclical relationships. If...
CVE-2024-31452
OpenFGA CVE-2024-31452 affects OpenFGA v1.5.0+ with an authorization bypass when calling Check or ListObjects APIs. The root cause relates to exclusion or intersection models (e.g., a but not b, or a and b). The issue is fixed in v1.5.3; remediation is to upgrade to v1.5.3 (or later) to mitigate....
Authorization Bypass
github.com/openfga/openfga is vulnerable to Authorization Bypass. The vulnerability exists because the number of objects returned with the ListObjects API are non-deterministic which allows an attacker to access unauthorized objects if the model contains expressions of type rel1 from type1...
Authorization
OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. Some end users of OpenFGA v1.3.0 or earlier are vulnerable to authorization bypass when calling the ListObjects API. The vulnerability affects customers using ListObjects with specific models. The...
CVE-2023-40579 OpenFGA Authorization Bypass
OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. Some end users of OpenFGA v1.3.0 or earlier are vulnerable to authorization bypass when calling the ListObjects API. The vulnerability affects customers using ListObjects with specific models. The...
CVE-2023-40579 OpenFGA Authorization Bypass
OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. Some end users of OpenFGA v1.3.0 or earlier are vulnerable to authorization bypass when calling the ListObjects API. The vulnerability affects customers using ListObjects with specific models. The...
CVE-2023-40579 OpenFGA Authorization Bypass
OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. Some end users of OpenFGA v1.3.0 or earlier are vulnerable to authorization bypass when calling the ListObjects API. The vulnerability affects customers using ListObjects with specific models. The...
CVE-2023-40579
OpenFGA OpenFGA v1.3.0 and earlier contains an authorization bypass in the ListObjects API when models include expressions of type rel1 from type1. The root cause is mis-evaluation of results for ListObjects under those models, enabling access to unauthorized objects. The issue has been fixed in ...