Описание
OpenFGA Authorization Bypass
Overview
OpenFGA v1.8.0 to v1.8.12 ( openfga-0.2.16 <= Helm chart <= openfga-0.2.31, v1.8.0 <= docker <= v.1.8.12) are vulnerable to authorization bypass when certain Check and ListObject calls are executed.
Am I Affected?
If you are using OpenFGA v1.8.0 to v1.8.12, specifically under the following conditions, you are affected by this authorization bypass vulnerability:
- Calling Check API or ListObjects with an authorization model that has a relationship directly assignable by both type bound public access and userset, and
- There are check or list object queries with contextual tuples for the relationship that can be directly assignable by both type bound public access and userset, and
- Those contextual tuples’s user field is an userset, and
- Type bound public access tuples are not assigned to the relationship
Fix
Upgrade to v1.8.13. This upgrade is backwards compatible.
Acknowledgments
Okta would like to thank @udyvish for discovering this vulnerability.
Пакеты
github.com/openfga/openfga
>= 1.8.0, < 1.8.13
1.8.13
Связанные уязвимости
OpenFGA is an authorization/permission engine. OpenFGA versions 1.8.0 through 1.8.12 (corresponding to Helm chart openfga-0.2.16 through openfga-0.2.30 and docker 1.8.0 through 1.8.12) are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Users are affected under four specific conditions: First, calling Check API or ListObjects with an authorization model that has a relationship directly assignable by both type bound public access and userset; second, there are check or list object queries with contextual tuples for the relationship that can be directly assignable by both type bound public access and userset; third, those contextual tuples’s user field is an userset; and finally, type bound public access tuples are not assigned to the relationship. Users should upgrade to version 1.8.13 to receive a patch. The upgrade is backwards compatible.