CVE-2022-39342

OpenFGA Authorization Bypass

CVSS 5.9 MEDIUMEPSS 0.9%CWE-285

In short

OpenFGA, an authorization engine, has a flaw that allows users to bypass permission checks in certain configurations. This happens when the permission model uses complex relationship definitions, potentially letting unauthorized users access protected resources.

Technical detail

OpenFGA versions prior to 0.2.4 contain an authorization bypass vulnerability (CWE-285) affecting models with tupleset relations involving non-direct relationships. An attacker with knowledge of the authorization model structure can craft requests that circumvent permission validation logic, bypassing intended access controls.

Summary generated and translated by AI from the official description.

OpenFGA is an authorization/permission engine. Versions prior to version 0.2.4 are vulnerable to authorization bypass under certain conditions. Users whose model has a relation defined as a tupleset (the right hand side of a ‘from’ statement) that involves anything other than a direct relationship (e.g. ‘as self’) are vulnerable. Version 0.2.4 contains a patch for this issue.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Affected products

openfga · openfga

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/openfga/openfga/commit/c8db1ee3d2a366f18e585dd33236340e76e784c4 https://github.com/openfga/openfga/releases/tag/v0.2.4 https://github.com/openfga/openfga/security/advisories/GHSA-f4mm-2r69-mg5f