170 matches found
CVE-2024-24786 affecting package opa for versions less than 0.63.0-1
CVE-2024-24786 affecting package opa for versions less than 0.63.0-1. An upgraded version of the package is available that resolves this issue...
CVE-2023-45288 affecting package opa for versions less than 0.63.0-1
CVE-2023-45288 affecting package opa for versions less than 0.63.0-1. A patched version of the package is available...
CVE-2023-45142 affecting package opa for versions less than 0.63.0-1
CVE-2023-45142 affecting package opa for versions less than 0.63.0-1. An upgraded version of the package is available that resolves this issue...
Information Disclosure
fastapi-opa is vulnerable to Information Disclosure. The vulnerability is due to lack of authentication enforcement for HTTP OPTIONS requests by OpaMiddleware, allowing an unauthenticated attacker to determine the existence of entities within the application based on the responses to these reques...
CVE-2024-40627
Fastapi OPA is an opensource fastapi middleware which includes auth flow. HTTP OPTIONS requests are always allowed by OpaMiddleware, even when they lack authentication, and are passed through directly to the application. OpaMiddleware allows all HTTP OPTIONS requests without evaluating it against...
CVE-2024-40627
Fastapi OPA is an opensource fastapi middleware which includes auth flow. HTTP OPTIONS requests are always allowed by OpaMiddleware, even when they lack authentication, and are passed through directly to the application. OpaMiddleware allows all HTTP OPTIONS requests without evaluating it against...
CVE-2024-40627 OpaMiddleware does not filter HTTP OPTIONS requests
Fastapi OPA is an opensource fastapi middleware which includes auth flow. HTTP OPTIONS requests are always allowed by OpaMiddleware, even when they lack authentication, and are passed through directly to the application. OpaMiddleware allows all HTTP OPTIONS requests without evaluating it against...
CVE-2024-40627
CVE-2024-40627 concerns the Fastapi-OPA OpaMiddleware, which incorrectly allows unauthenticated HTTP OPTIONS requests by bypassing policy evaluation. This can enable an unauthenticated attacker to infer entity existence based on responses, potentially leaking information about writable entities. ...
CVE-2024-40627 OpaMiddleware does not filter HTTP OPTIONS requests
Fastapi OPA is an opensource fastapi middleware which includes auth flow. HTTP OPTIONS requests are always allowed by OpaMiddleware, even when they lack authentication, and are passed through directly to the application. OpaMiddleware allows all HTTP OPTIONS requests without evaluating it against...
GHSA-5F5C-8RVC-J8WF OpaMiddleware does not filter HTTP OPTIONS requests
Summary HTTP OPTIONS requests are always allowed by OpaMiddleware, even when they lack authentication, and are passed through directly to the application. The maintainer uncertain whether this should be classed as a "bug" or "security issue" – but is erring on the side of "security issue" as an...
fastflows (>=0.1.0 <=0.1.2) potentially affected by CVE-2024-40627 via fastapi-opa (=1.4.8)
fastapi-opa PYPI version =1.4.8 is affected by a known vulnerability. The following packages have a transitive dependency on fastapi-opa and may be impacted: - fastflows =0.1.0, =0.1.2 Source cves: CVE-2024-40627 Source advisory: OSV:GHSA-5F5C-8RVC-J8WF...
OpaMiddleware does not filter HTTP OPTIONS requests
Summary HTTP OPTIONS requests are always allowed by OpaMiddleware, even when they lack authentication, and are passed through directly to the application. The maintainer uncertain whether this should be classed as a "bug" or "security issue" – but is erring on the side of "security issue" as an...
PT-2024-28950
Name of the Vulnerable Software and Affected Versions Fastapi OPA versions prior to 2.0.1 Description The issue allows unauthenticated attackers to discover which entities exist within an application by sending HTTP OPTIONS requests. This is because OpaMiddleware allows all HTTP OPTIONS requests...
CBL Mariner 2.0 Security Update: cri-tools / docker-buildx / kubernetes / opa / prometheus (CVE-2023-45142)
The version of cri-tools / docker-buildx / kubernetes / opa / prometheus installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2023-45142 advisory. - OpenTelemetry-Go Contrib is a collection of third-party...
CVE-2023-45288 affecting package opa for versions less than 0.63.0-2
CVE-2023-45288 affecting package opa for versions less than 0.63.0-2. A patched version of the package is available...
CBL Mariner 2.0 Security Update: azcopy / blobfuse2 / cert-manager / cf-cli (CVE-2024-24786)
The version of azcopy / blobfuse2 / cert-manager / cf-cli installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-24786 advisory. - The protojson.Unmarshal function can enter an infinite loop when...
CVE-2024-24786 affecting package opa for versions less than 0.63.0-1
CVE-2024-24786 affecting package opa for versions less than 0.63.0-1. An upgraded version of the package is available that resolves this issue...
CVE-2023-45142 affecting package opa for versions less than 0.63.0-1
CVE-2023-45142 affecting package opa for versions less than 0.63.0-1. An upgraded version of the package is available that resolves this issue...
AZL-38941 CVE-2023-45288 affecting package opa for versions less than 0.63.0-1
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no...
AZL-39571 CVE-2023-45288 affecting package opa for versions less than 0.63.0-2
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no...