OpenFGA Authorization Bypass
CVE-2022-23542

7.7HIGH

Key Information:

Vendor: Openfga
Status: Openfga
Vendor: CVE Published:; 20 December 2022

What is CVE-2022-23542?

OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. During an internal security assessment, it was discovered that OpenFGA version 0.3.0 is vulnerable to authorization bypass under certain conditions. This issue has been patched in version 0.3.1 and is backward compatible.

Affected Version(s)

openfga = 0.3.0

References

https://github.com/openfga/openfga/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/openfga/openfga/pull/422

x_refsource_MISC

https://github.com/openfga/openfga/releases/tag/v0.3.1

x_refsource_MISC

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 20, 2022
Vulnerability Reserved
Jan 19, 2022

Openfga

What is CVE-2022-23542?

Affected Version(s)

References

CVSS V3.1

Timeline