Описание
OpenFGA Authorization Bypass
Overview OpenFGA v1.8.10 or previous (Helm chart <= openfga-0.2.28, docker <= v.1.8.10) are vulnerable to authorization bypass when certain Check and ListObject calls are executed.
Am I Affected? If you are using OpenFGA v1.8.10 or previous, specifically under the following conditions, you are affected by this authorization bypass vulnerability:
- Calling Check API or ListObjects with an authorization model that has tuple cycle.
- Check query cache is enabled, and
- There are multiple check / list objects requests involving the tuple cycle within the check query TTL
Fix Upgrade to v1.8.11. This upgrade is backwards compatible.
Пакеты
github.com/openfga/openfga
>= 1.3.6, < 1.8.11
1.8.11
Связанные уязвимости
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.10 to v1.3.6 (Helm chart <= openfga-0.2.28, docker <= v.1.8.10) are vulnerable to authorization bypass when certain Check and ListObject calls are executed. This issue has been patched in version 1.8.11.