Headline
GHSA-hr4f-6jh8-f2vq: OpenFGA DoS vulnerability
Overview
OpenFGA is vulnerable to a DoS attack. When a number of ListObjects calls are executed, in some scenarios, those calls are not releasing resources even after a response has been sent, and the service as a whole becomes unresponsive.
Fix
Upgrade to v1.3.4. This upgrade is backwards compatible.
Package
gomod github.com/openfga/openfga (Go)
Affected versions
< 1.3.4
Patched versions
1.3.4
Description
Overview
OpenFGA is vulnerable to a DoS attack. When a number of ListObjects calls are executed, in some scenarios, those calls are not releasing resources even after a response has been sent, and the service as a whole becomes unresponsive.
Fix
Upgrade to v1.3.4. This upgrade is backwards compatible.
References
- GHSA-hr4f-6jh8-f2vq
- https://nvd.nist.gov/vuln/detail/CVE-2023-45810
- https://github.com/openfga/openfga/releases/tag/v1.3.4
miparnisari published to openfga/openfga
Oct 17, 2023
Published to the GitHub Advisory Database
Oct 18, 2023
Reviewed
Oct 18, 2023
Last updated
Oct 18, 2023
Related news
OpenFGA is a flexible authorization/permission engine built for developers and inspired by Google Zanzibar. Affected versions of OpenFGA are vulnerable to a denial of service attack. When a number of `ListObjects` calls are executed, in some scenarios, those calls are not releasing resources even after a response has been sent, and given a sufficient call volume the service as a whole becomes unresponsive. This issue has been addressed in version 1.3.4 and the upgrade is considered backwards compatible. There are no known workarounds for this vulnerability.