Headline
GHSA-mgh9-4mwp-fg55: OpenFGA Authorization Bypass
Overview
OpenFGA v1.9.3 to v1.9.4 ( openfga-0.2.40 <= Helm chart <= openfga-0.2.41, v1.9.3 <= docker <= v.1.9.4) are vulnerable to improper policy enforcement when certain Check and ListObject calls are executed.
Am I Affected?
You are affected by this vulnerability if you are using OpenFGA v1.9.3 to v1.9.4, specifically under the following preconditions:
- Calling Check API or ListObjects with an authorization model that has a relationship directly assignable by more than 1 userset with same type, and
- There are check or list object queries that rely on the above relationship, and
- You have userset tuples that are assigned to the above relationship
Fix
Upgrade to v1.9.5. This upgrade is backwards compatible.
Workaround
Downgrade to v1.9.2 with enable-check-optimizations removed from OPENFGA_EXPERIMENTALS
Acknowledgments
OpenFGA would like Dominic Harries and rrozza-apolitical to thank for discovering this vulnerability.
Overview
OpenFGA v1.9.3 to v1.9.4 ( openfga-0.2.40 <= Helm chart <= openfga-0.2.41, v1.9.3 <= docker <= v.1.9.4) are vulnerable to improper policy enforcement when certain Check and ListObject calls are executed.
Am I Affected?
You are affected by this vulnerability if you are using OpenFGA v1.9.3 to v1.9.4, specifically under the following preconditions:
- Calling Check API or ListObjects with an authorization model that has a relationship directly assignable by more than 1 userset with same type, and
- There are check or list object queries that rely on the above relationship, and
- You have userset tuples that are assigned to the above relationship
Fix
Upgrade to v1.9.5. This upgrade is backwards compatible.
Workaround
Downgrade to v1.9.2 with enable-check-optimizations removed from OPENFGA_EXPERIMENTALS
Acknowledgments
OpenFGA would like Dominic Harries and rrozza-apolitical to thank for discovering this vulnerability.
References
- GHSA-mgh9-4mwp-fg55