CVE-2023-35933

Опубликовано: 26 июн. 2023

Источник: nvd

CVSS3: 5.9

CVSS3: 7.5

EPSS Низкий

Описание

OPenFGA is an open source authorization/permission engine built for developers. OpenFGA versions v1.1.0 and prior are vulnerable to a DoS attack when Check and ListObjects calls are executed against authorization models that contain circular relationship definitions. Users are affected by this vulnerability if they are using OpenFGA v1.1.0 or earlier, and if you are executing Check or ListObjects calls against a vulnerable authorization model. Users are advised to upgrade to version 1.1.1. There are no known workarounds for this vulnerability. Users that do not have circular relationships in their models are not affected.

Ссылки

https://github.com/openfga/openfga/commit/087ce392595f3c319ab3028b5089118ea4063452
Patch
https://github.com/openfga/openfga/security/advisories/GHSA-hr9r-8phq-5x8j
Vendor Advisory
https://openfga.dev/api/service#/Relationship%20Queries/Check
Exploit
Vendor Advisory
https://openfga.dev/api/service#/Relationship%20Queries/ListObjects
Exploit
Vendor Advisory
https://github.com/openfga/openfga/commit/087ce392595f3c319ab3028b5089118ea4063452
Patch
https://github.com/openfga/openfga/security/advisories/GHSA-hr9r-8phq-5x8j
Vendor Advisory
https://openfga.dev/api/service#/Relationship%20Queries/Check
Exploit
Vendor Advisory
https://openfga.dev/api/service#/Relationship%20Queries/ListObjects
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:openfga:openfga:*:*:*:*:*:*:*:*

Версия до 1.1.1 (исключая)

EPSS

Процентиль: 45%

0.00226

Низкий

5.9 Medium

CVSS3

7.5 High

CVSS3

Дефекты

CWE-835

Связанные уязвимости

GHSA-hr9r-8phq-5x8j

CVSS3: 5.9

github

больше 2 лет назад

OpenFGA vulnerable to denial of service due to circular relationship

EPSS

Процентиль: 45%

0.00226

Низкий

5.9 Medium

CVSS3

7.5 High

CVSS3

Дефекты

CWE-835