GHSA-vj4m-83m8-xpw5: OpenFGA Authorization Bypass via tupleset wildcard

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2022-39341

OpenFGA Authorization Bypass via tupleset wildcard

High severity GitHub Reviewed Published Oct 25, 2022 in openfga/openfga

Vulnerability details Dependabot alerts 0

Package

gomod github.com/openfga/openfga (Go)

Affected versions

<= 0.2.3

Patched versions

0.2.4

Description

Overview

During our internal security assessment, it was discovered that OpenFGA versions v0.2.3 and prior are vulnerable to authorization bypass under certain conditions.

Am I affected?

You are affected by this vulnerability if you are using openfga/openfga version v0.2.3 and you added a tuple with a wildcard (*) assigned to a tupleset relation (the right hand side of a ‘from’ statement).

How to fix that?

Upgrade to version v0.2.4.

Backward Compatibility

This update is not backward compatible with any authorization model that uses wildcard on a tupleset relation.

References

• GHSA-vj4m-83m8-xpw5
• https://nvd.nist.gov/vuln/detail/CVE-2022-39341
• openfga/openfga@b466769
• https://github.com/openfga/openfga/releases/tag/v0.2.4

SamyGhannad published the maintainer security advisory

Oct 24, 2022

Severity

High

Weaknesses

No CWEs

CVE ID

CVE-2022-39341

GHSA ID

GHSA-vj4m-83m8-xpw5

Source code

openfga/openfga

Checking history

See something to contribute? Suggest improvements for this vulnerability.