Headline

CVE-2023-40579: OpenFGA Authorization Bypass

OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. Some end users of OpenFGA v1.3.0 or earlier are vulnerable to authorization bypass when calling the ListObjects API. The vulnerability affects customers using ListObjects with specific models. The affected models contain expressions of type rel1 from type1. This issue has been patched in version 1.3.1.

1 year ago

CVE

Open in Source

#vulnerability #google #git #auth

- Actions
  
  Automate any workflow
- Packages
  
  Host and manage packages
- Security
  
  Find and fix vulnerabilities
- Codespaces
  
  Instant dev environments
- Copilot
  
  Write better code with AI
- Code review
  
  Manage code changes
- Issues
  
  Plan and track work
- Discussions
  
  Collaborate outside of code

- GitHub Sponsors
  
  Fund open source developers

*   The ReadME Project
    
    GitHub community articles

Pricing

Package

gomod openfga/openfga (Go)

Description

Overview

Some end users of OpenFGA v1.3.0 or earlier are vulnerable to authorization bypass when calling the ListObjects API. UPDATE: This means that the API sometimes returns more objects than it should.

Am I Affected?

The vulnerability affects customers using ListObjects with specific models. The affected models contain expressions of type rel1 from type1.

Fix

Update to v1.3.1.

Backward Compatibility

This update is backward compatible.

## Overview Some end users of OpenFGA v1.3.0 or earlier are vulnerable to authorization bypass when calling the ListObjects API. UPDATE: This means that the API sometimes returns more objects than it should. ## Am I Affected? The vulnerability affects customers using `ListObjects` with specific models. The affected models contain expressions of type `rel1 from type1`. ## Fix Update to v1.3.1. ## Backward Compatibility This update is backward compatible.

1 year ago

ghsa

Open in Source

#vulnerability #git #auth