6 matches found
Information Disclosure
fastapi-opa is vulnerable to Information Disclosure. The vulnerability is due to lack of authentication enforcement for HTTP OPTIONS requests by OpaMiddleware, allowing an unauthenticated attacker to determine the existence of entities within the application based on the responses to these reques...
CVE-2024-40627 OpaMiddleware does not filter HTTP OPTIONS requests
Fastapi OPA is an opensource fastapi middleware which includes auth flow. HTTP OPTIONS requests are always allowed by OpaMiddleware, even when they lack authentication, and are passed through directly to the application. OpaMiddleware allows all HTTP OPTIONS requests without evaluating it against...
CVE-2024-40627 OpaMiddleware does not filter HTTP OPTIONS requests
Fastapi OPA is an opensource fastapi middleware which includes auth flow. HTTP OPTIONS requests are always allowed by OpaMiddleware, even when they lack authentication, and are passed through directly to the application. OpaMiddleware allows all HTTP OPTIONS requests without evaluating it against...
CVE-2024-40627 OpaMiddleware does not filter HTTP OPTIONS requests
Fastapi OPA is an opensource fastapi middleware which includes auth flow. HTTP OPTIONS requests are always allowed by OpaMiddleware, even when they lack authentication, and are passed through directly to the application. OpaMiddleware allows all HTTP OPTIONS requests without evaluating it against...
GHSA-5F5C-8RVC-J8WF OpaMiddleware does not filter HTTP OPTIONS requests
Summary HTTP OPTIONS requests are always allowed by OpaMiddleware, even when they lack authentication, and are passed through directly to the application. The maintainer uncertain whether this should be classed as a "bug" or "security issue" – but is erring on the side of "security issue" as an...
OpaMiddleware does not filter HTTP OPTIONS requests
Summary HTTP OPTIONS requests are always allowed by OpaMiddleware, even when they lack authentication, and are passed through directly to the application. The maintainer uncertain whether this should be classed as a "bug" or "security issue" – but is erring on the side of "security issue" as an...