Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-rxpw-85vw-fx87: OpenFGA denial of service

Overview

OpenFGA is vulnerable to a DoS attack. In some scenarios that depend on the model and tuples used, a call to ListObjects may not release memory properly. So when a sufficiently high number of those calls are executed, the OpenFGA server can create an “out of memory” error and terminate.

Fix

Upgrade to v1.4.3. This upgrade is backwards compatible.

ghsa
#vulnerability#ios#dos#git#perl

Package

gomod github.com/openfga/openfga (Go)

Affected versions

< 1.4.3

Patched versions

1.4.3

Description

Overview

OpenFGA is vulnerable to a DoS attack. In some scenarios that depend on the model and tuples used, a call to ListObjects may not release memory properly. So when a sufficiently high number of those calls are executed, the OpenFGA server can create an “out of memory” error and terminate.

Fix

Upgrade to v1.4.3. This upgrade is backwards compatible.

References

  • GHSA-rxpw-85vw-fx87
  • https://nvd.nist.gov/vuln/detail/CVE-2024-23820
  • openfga/openfga@908ac85
  • https://github.com/openfga/openfga/releases/tag/v1.4.3

miparnisari published to openfga/openfga

Jan 26, 2024

Published by the National Vulnerability Database

Jan 26, 2024

Published to the GitHub Advisory Database

Jan 26, 2024

Reviewed

Jan 26, 2024

ghsa: Latest News

GHSA-6jrf-rcjf-245r: changedetection.io path traversal using file URI scheme without supplying hostname