CVE-2024-56323

Опубликовано: 13 янв. 2025

Источник: nvd

CVSS3: 9.8

EPSS Низкий

Описание

OpenFGA is an authorization/permission engine. IN OpenFGA v1.3.8 to v1.8.2 (Helm chart openfga-0.1.38 to openfga-0.2.19, docker v1.3.8 to v.1.8.2) are vulnerable to authorization bypass under the following conditions: 1. calling Check API or ListObjects with a model that uses conditions, and 2. calling Check API or ListObjects API with contextual tuples that include conditions and 3. OpenFGA is configured with caching enabled (OPENFGA_CHECK_QUERY_CACHE_ENABLED). Users are advised to upgrade to v1.8.3. There are no known workarounds for this vulnerability.

Ссылки

https://github.com/openfga/openfga/security/advisories/GHSA-32q6-rr98-cjqv
Patch
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:openfga:helm_charts:*:*:*:*:*:*:*:*

Версия от 0.1.38 (включая) до 0.2.19 (исключая)

cpe:2.3:a:openfga:openfga:*:*:*:*:*:*:*:*

Версия от 1.3.8 (включая) до 1.8.3 (исключая)

EPSS

Процентиль: 50%

0.00272

Низкий

9.8 Critical

CVSS3

Дефекты

CWE-285

Связанные уязвимости

GHSA-32q6-rr98-cjqv

github

около 1 года назад

OpenFGA Authorization Bypass

SUSE-SU-2025:0297-1

suse-cvrf