CVE-2024-31452

HIGH8.1EPSS 0.11%

OpenFGA Authorization Bypass

Published: 4/16/2024Modified: 6/4/2024

Also known as:GHSA-8cph-m685-6v6rGO-2024-2729

Description

# Overview Some end users of OpenFGA v1.5.0 or later are vulnerable to authorization bypass when calling Check or ListObjects APIs. # Am I Affected? You are very likely affected if your model involves exclusion (e.g. `a but not b`) or intersection (e.g. `a and b`) and you have any cyclical relationships. If you are using these, please update as soon as possible. # Fix Update to v1.5.3 # Backward Compatibility This update is backward compatible.

Affected packages (2)

Go/github.com/openfga/openfga>= 1.5.0, < 1.5.3
Go/github.com/openfga/openfga>= 1.5.0, < 1.5.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.1	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-31452
PATCHhttps://github.com/openfga/openfga
WEBhttps://github.com/openfga/openfga/commit/b6a6d99b2bdbf8c3781503989576076289f48ed2
WEBhttps://github.com/openfga/openfga/security/advisories/GHSA-8cph-m685-6v6r