CVE-2022-39342

OpenFGA is an authorization/permission engine. Versions prior to version 0.2.4 are vulnerable to authorization bypass under certain conditions. Users whose model has a relation defined as a tupleset (the right hand side of a ‘from’ statement) that involves anything other than a direct relationship (e.g. ‘as self’) are vulnerable. Version 0.2.4 contains a patch for this issue.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/openfga/openfga/commit/c8db1ee3d2a366f18e585dd33236340e76e784c4	Patch Third Party Advisory
https://github.com/openfga/openfga/releases/tag/v0.2.4	Release Notes Third Party Advisory
https://github.com/openfga/openfga/security/advisories/GHSA-f4mm-2r69-mg5f	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openfga:openfga:*:*:*:*:*:*:*:*

History

07 Nov 2023, 03:50

Type	Values Removed	Values Added
Summary	OpenFGA is an authorization/permission engine. Versions prior to version 0.2.4 are vulnerable to authorization bypass under certain conditions. Users whose model has a relation defined as a tupleset (the right hand side of a â€˜fromâ€™ statement) that involves anything other than a direct relationship (e.g. â€˜as selfâ€™) are vulnerable. Version 0.2.4 contains a patch for this issue.	OpenFGA is an authorization/permission engine. Versions prior to version 0.2.4 are vulnerable to authorization bypass under certain conditions. Users whose model has a relation defined as a tupleset (the right hand side of a ‘from’ statement) that involves anything other than a direct relationship (e.g. ‘as self’) are vulnerable. Version 0.2.4 contains a patch for this issue.

27 Jun 2023, 17:27

Type	Values Removed	Values Added
CWE	~~CWE-863~~	NVD-CWE-Other

Information

Published : 2022-10-25 17:15

Updated : 2024-02-28 19:29

NVD link : CVE-2022-39342

Mitre link : CVE-2022-39342

CVE.ORG link : CVE-2022-39342

JSON object : View

Products Affected

openfga

openfga

CWE

NVD-CWE-Other CWE-285

Improper Authorization

{"id": "CVE-2022-39342", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.2}]}, "published": "2022-10-25T17:15:56.333", "references": [{"url": "https://github.com/openfga/openfga/commit/c8db1ee3d2a366f18e585dd33236340e76e784c4", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/openfga/openfga/releases/tag/v0.2.4", "tags": ["Release Notes", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/openfga/openfga/security/advisories/GHSA-f4mm-2r69-mg5f", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-285"}]}], "descriptions": [{"lang": "en", "value": "OpenFGA is an authorization/permission engine. Versions prior to version 0.2.4 are vulnerable to authorization bypass under certain conditions. Users whose model has a relation defined as a tupleset (the right hand side of a \u2018from\u2019 statement) that involves anything other than a direct relationship (e.g. \u2018as self\u2019) are vulnerable. Version 0.2.4 contains a patch for this issue."}, {"lang": "es", "value": "OpenFGA es un motor de autorizaci\u00f3n/permiso. Las versiones anteriores a 0.2.4 son vulnerables a la omisi\u00f3n de la autorizaci\u00f3n bajo determinadas condiciones. Los usuarios cuyo modelo presenta una relaci\u00f3n definida como un conjunto de tuplas (el lado derecho de una declaraci\u00f3n \"from\") que implica cualquier cosa que no sea una relaci\u00f3n directa (por ejemplo, \"as self\") son vulnerables. La versi\u00f3n 0.2.4 contiene un parche para este problema"}], "lastModified": "2023-11-07T03:50:26.957", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openfga:openfga:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6C8497C4-6109-40A8-AA89-E20BF94EB4C2", "versionEndExcluding": "0.2.4"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}