CVE-2022-23542 - OpenCVE

OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. During an internal security assessment, it was discovered that OpenFGA version 0.3.0 is vulnerable to authorization bypass under certain conditions. This issue has been patched in version 0.3.1 and is backward compatible.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Openfga	Openfga

Configuration 1 [-]

cpe:2.3:a:openfga:openfga:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/openfga/openfga/pull/422
https://github.com/openfga/openfga/releases/tag/v0.3.1
https://github.com/openfga/openfga/security/advisories/GHSA-m3q4-7qmj-657m

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-12-20T20:15:16.628Z

Updated: 2024-08-03T03:43:46.451Z

Reserved: 2022-01-19T21:23:53.796Z

Link: CVE-2022-23542

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-12-20T21:15:10.493

Modified: 2023-11-07T03:44:13.357

Link: CVE-2022-23542

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-23542", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2022-01-19T21:23:53.796Z", "datePublished": "2022-12-20T20:15:16.628Z", "dateUpdated": "2024-08-03T03:43:46.451Z"}, "containers": {"cna": {"title": "OpenFGA Authorization Bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "lang": "en", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/openfga/openfga/security/advisories/GHSA-m3q4-7qmj-657m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openfga/openfga/security/advisories/GHSA-m3q4-7qmj-657m"}, {"name": "https://github.com/openfga/openfga/pull/422", "tags": ["x_refsource_MISC"], "url": "https://github.com/openfga/openfga/pull/422"}, {"name": "https://github.com/openfga/openfga/releases/tag/v0.3.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/openfga/openfga/releases/tag/v0.3.1"}], "affected": [{"vendor": "openfga", "product": "openfga", "versions": [{"version": "= 0.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-12-20T20:15:16.628Z"}, "descriptions": [{"lang": "en", "value": "OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. During an internal security assessment, it was discovered that OpenFGA version 0.3.0 is vulnerable to authorization bypass under certain conditions. This issue has been patched in version 0.3.1 and is backward compatible.\n\n"}], "source": {"advisory": "GHSA-m3q4-7qmj-657m", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:43:46.451Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/openfga/openfga/security/advisories/GHSA-m3q4-7qmj-657m", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/openfga/openfga/security/advisories/GHSA-m3q4-7qmj-657m"}, {"name": "https://github.com/openfga/openfga/pull/422", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/openfga/openfga/pull/422"}, {"name": "https://github.com/openfga/openfga/releases/tag/v0.3.1", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/openfga/openfga/releases/tag/v0.3.1"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openfga:openfga:*:*:*:*:*:*:*:*", "matchCriteriaId": "83D51F01-FDB6-48DB-BD8F-88EE6A5CE24B", "versionEndExcluding": "0.3.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. During an internal security assessment, it was discovered that OpenFGA version 0.3.0 is vulnerable to authorization bypass under certain conditions. This issue has been patched in version 0.3.1 and is backward compatible.\n\n"}, {"lang": "es", "value": "OpenFGA es un motor de autorizaci\u00f3n/permisos creado para desarrolladores e inspirado en Google Zanzibar. Durante una evaluaci\u00f3n de seguridad interna, se descubri\u00f3 que la versi\u00f3n 0.3.0 de OpenFGA es vulnerable a la omisi\u00f3n de autorizaci\u00f3n bajo ciertas condiciones. Este problema se solucion\u00f3 en la versi\u00f3n 0.3.1 y es compatible con versiones anteriores."}], "id": "CVE-2022-23542", "lastModified": "2023-11-07T03:44:13.357", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-12-20T21:15:10.493", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/openfga/openfga/pull/422"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/openfga/openfga/releases/tag/v0.3.1"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/openfga/openfga/security/advisories/GHSA-m3q4-7qmj-657m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "security-advisories@github.com", "type": "Primary"}]}