Headline
GHSA-8cph-m685-6v6r: OpenFGA Authorization Bypass
Overview
Some end users of OpenFGA v1.5.0 or later are vulnerable to authorization bypass when calling Check or ListObjects APIs.
Am I Affected?
You are very likely affected if your model involves exclusion (e.g. a but not b) or intersection (e.g. a and b) and you have any cyclical relationships. If you are using these, please update as soon as possible.
Fix
Update to v1.5.3
Backward Compatibility
This update is backward compatible.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-31452
OpenFGA Authorization Bypass
High severity GitHub Reviewed Published Apr 16, 2024 in openfga/openfga • Updated Apr 16, 2024
Package
gomod github.com/openfga/openfga (Go)
Affected versions
>= 1.5.0, < 1.5.3
Overview
Some end users of OpenFGA v1.5.0 or later are vulnerable to authorization bypass when calling Check or ListObjects APIs.
Am I Affected?
You are very likely affected if your model involves exclusion (e.g. a but not b) or intersection (e.g. a and b) and you have any cyclical relationships. If you are using these, please update as soon as possible.
Fix
Update to v1.5.3
Backward Compatibility
This update is backward compatible.
References
- GHSA-8cph-m685-6v6r
- openfga/openfga@b6a6d99
Published to the GitHub Advisory Database
Apr 16, 2024
Last updated
Apr 16, 2024