Vulnerability Details CVE-2022-39341
OpenFGA is an authorization/permission engine. Versions prior to version 0.2.4 are vulnerable to authorization bypass under certain conditions. Users who have wildcard (`*`) defined on tupleset relations in their authorization model are vulnerable. Version 0.2.4 contains a patch for this issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 3.7%
CVSS Severity
CVSS v3 Score 5.9
References
- https://github.com/openfga/openfga/commit/b466769cc100b2065047786578718d313f52695b
- https://github.com/openfga/openfga/releases/tag/v0.2.4
- https://github.com/openfga/openfga/security/advisories/GHSA-vj4m-83m8-xpw5
- https://github.com/openfga/openfga/commit/b466769cc100b2065047786578718d313f52695b
- https://github.com/openfga/openfga/releases/tag/v0.2.4
- https://github.com/openfga/openfga/security/advisories/GHSA-vj4m-83m8-xpw5
Products affected by CVE-2022-39341
-
cpe:2.3:a:openfga:openfga:0.0.1
-
cpe:2.3:a:openfga:openfga:0.0.2
-
cpe:2.3:a:openfga:openfga:0.1.0
-
cpe:2.3:a:openfga:openfga:0.1.1
-
cpe:2.3:a:openfga:openfga:0.1.2
-
cpe:2.3:a:openfga:openfga:0.1.4
-
cpe:2.3:a:openfga:openfga:0.1.5
-
cpe:2.3:a:openfga:openfga:0.1.6
-
cpe:2.3:a:openfga:openfga:0.1.7
-
cpe:2.3:a:openfga:openfga:0.2.0
-
cpe:2.3:a:openfga:openfga:0.2.1
-
cpe:2.3:a:openfga:openfga:0.2.2
-
cpe:2.3:a:openfga:openfga:0.2.3