Опубликовано: 09 авг. 2024
Источник: github
Github: Прошло ревью
CVSS4: 8.2
CVSS3: 7.5
Описание
OpenFGA Authorization Bypass
Overview
OpenFGA v1.5.7 and v1.5.8 are vulnerable to authorization bypass when calling Check API with a model that uses but not and from expressions and a userset.
Fix
- If you are using OpenFGA within Docker or as a Go library, as a binary, or through Docker, upgrade to v1.5.9 as soon as possible
- If using Helm chart, upgrade to 0.2.12 as soon as possible.
This fix is backward compatible.
Пакеты
Наименование
github.com/openfga/openfga
go
Затронутые версииВерсия исправления
>= 1.5.7, < 1.5.9
1.5.9
Связанные уязвимости
CVSS3: 7.5
nvd
больше 1 года назад
OpenFGA is an authorization/permission engine. OpenFGA v1.5.7 and v1.5.8 are vulnerable to authorization bypass when calling Check API with a model that uses `but not` and `from` expressions and a userset. Users should downgrade to v1.5.6 as soon as possible. This downgrade is backward compatible. As of time of publication, a patch is not available but OpenFGA's maintainers are planning a patch for inclusion in a future release.