CVE-2024-31452

Опубликовано: 16 апр. 2024

Источник: nvd

CVSS3: 8.1

CVSS3: 9.8

EPSS Низкий

Описание

OpenFGA is a high-performance and flexible authorization/permission engine. Some end users of OpenFGA v1.5.0 or later are vulnerable to authorization bypass when calling Check or ListObjects APIs. You are very likely affected if your model involves exclusion (e.g. a but not b) or intersection (e.g. a and b). This vulnerability is fixed in v1.5.3.

Ссылки

https://github.com/openfga/openfga/commit/b6a6d99b2bdbf8c3781503989576076289f48ed2
Patch
https://github.com/openfga/openfga/security/advisories/GHSA-8cph-m685-6v6r
Patch
Vendor Advisory
https://github.com/openfga/openfga/commit/b6a6d99b2bdbf8c3781503989576076289f48ed2
Patch
https://github.com/openfga/openfga/security/advisories/GHSA-8cph-m685-6v6r
Patch
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:openfga:openfga:*:*:*:*:*:*:*:*

Версия от 1.5.0 (включая) до 1.5.3 (исключая)

EPSS

Процентиль: 31%

0.00117

Низкий

8.1 High

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-863

Связанные уязвимости

GHSA-8cph-m685-6v6r

CVSS3: 8.1

github

почти 2 года назад

OpenFGA Authorization Bypass

EPSS

Процентиль: 31%

0.00117

Низкий

8.1 High

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-863