Skip to content

OpenFGA Authorization Bypass

High severity GitHub Reviewed Published Dec 20, 2022 in openfga/openfga • Updated Jan 29, 2023

Package

gomod github.com/openfga/openfga (Go)

Affected versions

= 0.3.0

Patched versions

0.3.1

Description

Overview

During our internal security assessment, it was discovered that OpenFGA versions v0.3.0 is vulnerable to authorization bypass under certain conditions.

Am I Affected?

You are affected by this vulnerability if all of the following applies:

  1. You are using OpenFGA v0.3.0
  2. You created a model using modeling language v1.1 that applies a type restriction to an object e.g. define viewer: [user]
  3. You created tuples based on the aforementioned model, e.g. document:1#viewer@user:jon
  4. You updated the previous model by adding a new type and replacing the previous restriction with the newly added type e.g. define viewer: [employee]
  5. You use the tuples created against the first model (step 3) and issue checks against the updated model e.g. user=user:jon, relation=viewer, object:document:1

How to fix that?

Upgrade to version v0.3.1

Backward Compatibility

This update is backward compatible.

References

@SamyGhannad SamyGhannad published to openfga/openfga Dec 20, 2022
Published to the GitHub Advisory Database Dec 20, 2022
Reviewed Dec 20, 2022
Published by the National Vulnerability Database Dec 20, 2022
Last updated Jan 29, 2023

Severity

High

EPSS score

0.212%
(59th percentile)

Weaknesses

CVE ID

CVE-2022-23542

GHSA ID

GHSA-m3q4-7qmj-657m

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.