CVE-2022-23542

OpenFGA Authorization Bypass

CVSS 7.7 HIGHEPSS 0.9%CWE-285

In short

OpenFGA versions before 0.3.1 have a flaw that allows attackers to bypass authorization checks under certain conditions, potentially gaining unauthorized access to protected resources or actions.

Technical detail

OpenFGA 0.3.0 contains an authorization bypass vulnerability (CWE-285) that permits attackers to circumvent permission enforcement mechanisms. The vulnerability requires specific preconditions to be met; exploitation results in unauthorized access to restricted functionality. The flaw was remediated in version 0.3.1 with backward compatibility maintained.

Summary generated and translated by AI from the official description.

OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. During an internal security assessment, it was discovered that OpenFGA version 0.3.0 is vulnerable to authorization bypass under certain conditions. This issue has been patched in version 0.3.1 and is backward compatible.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

Affected products

openfga · openfga

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/openfga/openfga/pull/422 https://github.com/openfga/openfga/releases/tag/v0.3.1 https://github.com/openfga/openfga/security/advisories/GHSA-m3q4-7qmj-657m