CVE-2022-39352

OpenFGA Authorization Bypass

CVSS 4.8 MEDIUMEPSS 0.4%CWE-863

In short

OpenFGA versions before 0.2.5 allow attackers to bypass authorization checks when wildcard (*) characters are used in certain permission configurations. This means unauthorized users could gain access to protected resources.

Technical detail

Authorization bypass in OpenFGA <0.2.5 occurs when tuplesets (relations defined with 'from' statements) are assigned wildcard (*) values, allowing improper privilege escalation. The vulnerability affects authorization models that utilize wildcards on tupleset relations; exploitation requires a malicious actor to craft requests that exploit the misconfigured wildcard permissions. Upgrading to v0.2.5+ resolves the issue, though models using wildcard tuplesets require reconfiguration.

Summary generated and translated by AI from the official description.

OpenFGA is a high-performance authorization/permission engine inspired by Google Zanzibar. Versions prior to 0.2.5 are vulnerable to authorization bypass under certain conditions. You are affected by this vulnerability if you added a tuple with a wildcard (*) assigned to a tupleset relation (the right hand side of a ‘from’ statement). This issue has been patched in version v0.2.5. This update is not backward compatible with any authorization model that uses wildcard on a tupleset relation.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Affected products

openfga · openfga

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/openfga/openfga/security/advisories/GHSA-3gfj-fxx4-f22w