Authorization bypass vulnerability in OpenFGA
CVE-2024-42473

9.8CRITICAL

Key Information:

Vendor: Openfga
Status: Openfga
Vendor: CVE Published:; 12 August 2024

Summary

The OpenFGA authorization engine, versions 1.5.7 and 1.5.8, is affected by a vulnerability that allows for an authorization bypass when the Check API is called with models utilizing but not and from expressions alongside a userset. As a temporary mitigation, users are strongly recommended to downgrade to version 1.5.6, which is backward compatible. At this time, a patch is not yet available, but maintainers of OpenFGA have indicated plans to address the vulnerability in upcoming releases.

Affected Version(s)

openfga >=1.5.7, <= 1.5.8

References

https://github.com/openfga/openfga/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 12, 2024
Vulnerability Reserved
Aug 2, 2024