OpenFGA denial of service die to circular relationship
CVE-2023-35933

5.9MEDIUM

Key Information:

Vendor: Openfga
Status: Openfga
Vendor: CVE Published:; 26 June 2023

What is CVE-2023-35933?

OPenFGA is an open source authorization/permission engine built for developers. OpenFGA versions v1.1.0 and prior are vulnerable to a DoS attack when Check and ListObjects calls are executed against authorization models that contain circular relationship definitions. Users are affected by this vulnerability if they are using OpenFGA v1.1.0 or earlier, and if you are executing Check or ListObjects calls against a vulnerable authorization model. Users are advised to upgrade to version 1.1.1. There are no known workarounds for this vulnerability. Users that do not have circular relationships in their models are not affected.

Affected Version(s)

openfga < 1.1.1

References

https://github.com/openfga/openfga/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/openfga/openfga/commit/087ce392595f3c3...

x_refsource_MISC

https://openfga.dev/api/service#/Relationship%20Queries/C...

x_refsource_MISC

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2023
Vulnerability Reserved
Jun 20, 2023

Openfga

What is CVE-2023-35933?

Affected Version(s)

References

CVSS V3.1

Timeline