Skip to content

OpenFGA Authorization Bypass

High
SamyGhannad published GHSA-3gfj-fxx4-f22w Nov 7, 2022

Package

gomod github.com/openfga/openfga (Go)

Affected versions

<= 0.2.4

Patched versions

0.2.5

Description

Overview

During our internal security assessment, it was discovered that OpenFGA versions v0.2.4 and prior are vulnerable to authorization bypass under certain conditions.

Am I Affected?

You are affected by this vulnerability if you are using openfga/openfga version v0.2.4 or prior, and have tuples where the user field is set to a userset e.g. folder:test#owner, and the tuple's relation is used on the right-hand side of a from statement.

How to fix that?

Upgrade to version v0.2.5.

Backward Compatibility

This update is not backward compatible.
Any tuples where the user field is set to a userset, and the tuple's relation is used on the right-hand side of a from statement have to be rewritten.

Severity

High

CVE ID

CVE-2022-39352

Weaknesses

No CWEs