Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-3gfj-fxx4-f22w: OpenFGA Authorization Bypass

Overview

During our internal security assessment, it was discovered that OpenFGA versions v0.2.4 and prior are vulnerable to authorization bypass under certain conditions.

Am I Affected?

You are affected by this vulnerability if you are using openfga/openfga version v0.2.4 or prior, and have tuples where the user field is set to a userset e.g. folder:test#owner, and the tuple’s relation is used on the right-hand side of a from statement.

How to fix that?

Upgrade to version v0.2.5.

Backward Compatibility

This update is not backward compatible. Any tuples where the user field is set to a userset, and the tuple’s relation is used on the right-hand side of a from statement have to be rewritten.

ghsa
Open in Source
#vulnerability#git#auth

Overview

During our internal security assessment, it was discovered that OpenFGA versions v0.2.4 and prior are vulnerable to authorization bypass under certain conditions.

Am I Affected?

You are affected by this vulnerability if you are using openfga/openfga version v0.2.4 or prior, and have tuples where the user field is set to a userset e.g. folder:test#owner, and the tuple’s relation is used on the right-hand side of a from statement.

How to fix that?

Upgrade to version v0.2.5.

Backward Compatibility

This update is not backward compatible.
Any tuples where the user field is set to a userset, and the tuple’s relation is used on the right-hand side of a from statement have to be rewritten.

References

  • GHSA-3gfj-fxx4-f22w
  • https://nvd.nist.gov/vuln/detail/CVE-2022-39352
  • https://github.com/openfga/openfga/releases/tag/v0.2.5

Related news

CVE-2022-39352: OpenFGA Authorization Bypass

OpenFGA is a high-performance authorization/permission engine inspired by Google Zanzibar. Versions prior to 0.2.5 are vulnerable to authorization bypass under certain conditions. You are affected by this vulnerability if you added a tuple with a wildcard (*) assigned to a tupleset relation (the right hand side of a ‘from’ statement). This issue has been patched in version v0.2.5. This update is not backward compatible with any authorization model that uses wildcard on a tupleset relation.

ghsa: Latest News

GHSA-wf8f-6423-gfxg: Jackson-core Vulnerable to Memory Disclosure via Source Snippet in JsonLocation
ghsa