CVE-2023-40579

Опубликовано: 25 авг. 2023

Источник: nvd

CVSS3: 6.5

EPSS Низкий

Описание

OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. Some end users of OpenFGA v1.3.0 or earlier are vulnerable to authorization bypass when calling the ListObjects API. The vulnerability affects customers using ListObjects with specific models. The affected models contain expressions of type rel1 from type1. This issue has been patched in version 1.3.1.

Ссылки

https://github.com/openfga/openfga/releases/tag/v1.3.1
Release Notes
https://github.com/openfga/openfga/security/advisories/GHSA-jcf2-mxr2-gmqp
Vendor Advisory
https://github.com/openfga/openfga/releases/tag/v1.3.1
Release Notes
https://github.com/openfga/openfga/security/advisories/GHSA-jcf2-mxr2-gmqp
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:openfga:openfga:*:*:*:*:*:*:*:*

Версия до 1.3.1 (исключая)

EPSS

Процентиль: 20%

0.00065

Низкий

6.5 Medium

CVSS3

Дефекты

CWE-284

Связанные уязвимости

GHSA-jcf2-mxr2-gmqp