CVE-2022-39352

OpenFGA is a high-performance authorization/permission engine inspired by Google Zanzibar. Versions prior to 0.2.5 are vulnerable to authorization bypass under certain conditions. You are affected by this vulnerability if you added a tuple with a wildcard (*) assigned to a tupleset relation (the right hand side of a ‘from’ statement). This issue has been patched in version v0.2.5. This update is not backward compatible with any authorization model that uses wildcard on a tupleset relation.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/openfga/openfga/security/advisories/GHSA-3gfj-fxx4-f22w	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openfga:openfga:*:*:*:*:*:*:*:*

History

07 Nov 2023, 03:50

Type	Values Removed	Values Added
Summary	OpenFGA is a high-performance authorization/permission engine inspired by Google Zanzibar. Versions prior to 0.2.5 are vulnerable to authorization bypass under certain conditions. You are affected by this vulnerability if you added a tuple with a wildcard (*) assigned to a tupleset relation (the right hand side of a â€˜fromâ€™ statement). This issue has been patched in version v0.2.5. This update is not backward compatible with any authorization model that uses wildcard on a tupleset relation.	OpenFGA is a high-performance authorization/permission engine inspired by Google Zanzibar. Versions prior to 0.2.5 are vulnerable to authorization bypass under certain conditions. You are affected by this vulnerability if you added a tuple with a wildcard (*) assigned to a tupleset relation (the right hand side of a ‘from’ statement). This issue has been patched in version v0.2.5. This update is not backward compatible with any authorization model that uses wildcard on a tupleset relation.

Information

Published : 2022-11-08 08:15

Updated : 2024-02-28 19:29

NVD link : CVE-2022-39352

Mitre link : CVE-2022-39352

CVE.ORG link : CVE-2022-39352

JSON object : View

Products Affected

openfga

openfga

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2022-39352", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.2}]}, "published": "2022-11-08T08:15:09.790", "references": [{"url": "https://github.com/openfga/openfga/security/advisories/GHSA-3gfj-fxx4-f22w", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-863"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "OpenFGA is a high-performance authorization/permission engine inspired by Google Zanzibar. Versions prior to 0.2.5 are vulnerable to authorization bypass under certain conditions. You are affected by this vulnerability if you added a tuple with a wildcard (*) assigned to a tupleset relation (the right hand side of a \u2018from\u2019 statement). This issue has been patched in version v0.2.5. This update is not backward compatible with any authorization model that uses wildcard on a tupleset relation."}, {"lang": "es", "value": "OpenFGA es un motor de autorizaci\u00f3n/permisos de alto rendimiento inspirado en Google Zanzibar. Las versiones anteriores a la 0.2.5 son vulnerables a la evasi\u00f3n de autorizaci\u00f3n bajo ciertas condiciones. Esta vulnerabilidad le afecta si agrega una tupla con un comod\u00edn (*) asignado a una relaci\u00f3n de conjunto de tuplas (el lado derecho de una declaraci\u00f3n \u00e2\u20ac\u02dcfrom\u00e2\u20ac\u2122). Este problema se solucion\u00f3 en la versi\u00f3n v0.2.5. Esta actualizaci\u00f3n no es compatible con ning\u00fan modelo de autorizaci\u00f3n que utilice comodines en una relaci\u00f3n de conjunto de tuples."}], "lastModified": "2023-11-07T03:50:27.783", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openfga:openfga:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8B5607C0-4DAE-4DE9-9E16-A7F4993EB122", "versionEndExcluding": "0.2.5"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}