Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-m3q4-7qmj-657m: OpenFGA Authorization Bypass

Overview

During our internal security assessment, it was discovered that OpenFGA versions v0.3.0 is vulnerable to authorization bypass under certain conditions.

Am I Affected?

You are affected by this vulnerability if all of the following applies:

  1. You are using OpenFGA v0.3.0
  2. You created a model using modeling language v1.1 that applies a type restriction to an object e.g. define viewer: [user]
  3. You created tuples based on the aforementioned model, e.g. document:1#viewer@user:jon
  4. You updated the previous model by adding a new type and replacing the previous restriction with the newly added type e.g. define viewer: [employee]
  5. You use the tuples created against the first model (step 3) and issue checks against the updated model e.g. user=user:jon, relation=viewer, object:document:1

How to fix that?

Upgrade to version v0.3.1

Backward Compatibility

This update is backward compatible.

ghsa
Open in Source
#vulnerability#git#auth

Overview

During our internal security assessment, it was discovered that OpenFGA versions v0.3.0 is vulnerable to authorization bypass under certain conditions.

Am I Affected?

You are affected by this vulnerability if all of the following applies:

  1. You are using OpenFGA v0.3.0
  2. You created a model using modeling language v1.1 that applies a type restriction to an object e.g. define viewer: [user]
  3. You created tuples based on the aforementioned model, e.g. document:1#viewer@user:jon
  4. You updated the previous model by adding a new type and replacing the previous restriction with the newly added type e.g. define viewer: [employee]
  5. You use the tuples created against the first model (step 3) and issue checks against the updated model e.g. user=user:jon, relation=viewer, object:document:1

How to fix that?

Upgrade to version v0.3.1

Backward Compatibility

This update is backward compatible.

References

  • GHSA-m3q4-7qmj-657m
  • openfga/openfga#422
  • https://github.com/openfga/openfga/releases/tag/v0.3.1

Related news

CVE-2022-23542: fix: filter reads by type restriction in direct relationship lookups by jon-whit · Pull Request #422 · openfga/openfga

OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. During an internal security assessment, it was discovered that OpenFGA version 0.3.0 is vulnerable to authorization bypass under certain conditions. This issue has been patched in version 0.3.1 and is backward compatible.

ghsa: Latest News

GHSA-rm76-4mrf-v9r8: vLLM uses Python 3.12 built-in hash() which leads to predictable hash collisions in prefix cache
ghsa