CVE-2024-31452

HIGH8.1EPSS 0.11%

OpenFGA Authorization Bypass

發布日:2024/4/16修改日:2024/6/4

也稱為:GHSA-8cph-m685-6v6rGO-2024-2729

描述

# Overview Some end users of OpenFGA v1.5.0 or later are vulnerable to authorization bypass when calling Check or ListObjects APIs. # Am I Affected? You are very likely affected if your model involves exclusion (e.g. `a but not b`) or intersection (e.g. `a and b`) and you have any cyclical relationships. If you are using these, please update as soon as possible. # Fix Update to v1.5.3 # Backward Compatibility This update is backward compatible.

受影響套件(2)

Go/github.com/openfga/openfga>= 1.5.0, < 1.5.3
Go/github.com/openfga/openfga>= 1.5.0, < 1.5.3

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH8.1	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-31452
PATCHhttps://github.com/openfga/openfga
WEBhttps://github.com/openfga/openfga/commit/b6a6d99b2bdbf8c3781503989576076289f48ed2
WEBhttps://github.com/openfga/openfga/security/advisories/GHSA-8cph-m685-6v6r