Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-39341: OpenFGA Authorization Bypass

OpenFGA is an authorization/permission engine. Versions prior to version 0.2.4 are vulnerable to authorization bypass under certain conditions. Users who have wildcard (*) defined on tupleset relations in their authorization model are vulnerable. Version 0.2.4 contains a patch for this issue.

CVE
Open in Source
#vulnerability#auth

Overview

During our internal security assessment, it was discovered that OpenFGA versions v0.2.3 and prior are vulnerable to authorization bypass under certain conditions.

Am I affected?

You are affected by this vulnerability if you are using openfga/openfga version v0.2.3 and you added a tuple with a wildcard (*) assigned to a tupleset relation (the right hand side of a ‘from’ statement).

How to fix that?

Upgrade to version v0.2.4.

Backward Compatibility

This update is not backward compatible with any authorization model that uses wildcard on a tupleset relation.

Related news

GHSA-vj4m-83m8-xpw5: OpenFGA Authorization Bypass via tupleset wildcard

### Overview During our internal security assessment, it was discovered that OpenFGA versions `v0.2.3` and prior are vulnerable to authorization bypass under certain conditions. ### Am I affected? You are affected by this vulnerability if you are using `openfga/openfga` version `v0.2.3` and you added a tuple with a wildcard (*) assigned to a tupleset relation (the right hand side of a ‘from’ statement). ### How to fix that? Upgrade to version `v0.2.4`. ### Backward Compatibility This update is not backward compatible with any authorization model that uses wildcard on a tupleset relation.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE