CVE-2022-39340

OpenFGA Information Disclosure

CVSS 5.3 MEDIUMEPSS 0.7%CWE-285

In short

OpenFGA's streamed-list-objects endpoint failed to validate authorization headers, allowing attackers to view objects stored in the system without proper permission. This affects versions 0.2.3 and earlier when exposed to the internet.

Technical detail

The streamed-list-objects endpoint in OpenFGA versions ≤0.2.3 does not enforce authorization header validation, enabling unauthorized information disclosure of stored objects. The vulnerability requires network access to the exposed endpoint; patched in version 0.2.4.

Summary generated and translated by AI from the official description.

OpenFGA is an authorization/permission engine. Prior to version 0.2.4, the `streamed-list-objects` endpoint was not validating the authorization header, resulting in disclosure of objects in the store. Users `openfga/openfga` versions 0.2.3 and prior who are exposing the OpenFGA service to the internet are vulnerable. Version 0.2.4 contains a patch for this issue.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected products

openfga · openfga

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/openfga/openfga/commit/779d73d4b6d067ee042ec9b59fec707eed71e42f https://github.com/openfga/openfga/releases/tag/v0.2.4 https://github.com/openfga/openfga/security/advisories/GHSA-95x7-mh78-7w2r