CVE-2022-23542 - Vulnerability Details - OpenCVE

OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. During an internal security assessment, it was discovered that OpenFGA version 0.3.0 is vulnerable to authorization bypass under certain conditions. This issue has been patched in version 0.3.1 and is backward compatible.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00039.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Openfga	Openfga

Configuration 1 [-]

cpe:2.3:a:openfga:openfga:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2022-7675	OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. During an internal security assessment, it was discovered that OpenFGA version 0.3.0 is vulnerable to authorization bypass under certain conditions. This issue has been patched in version 0.3.1 and is backward compatible.
Github GHSA	GHSA-m3q4-7qmj-657m	OpenFGA Authorization Bypass

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/openfga/openfga/pull/422
https://github.com/openfga/openfga/releases/tag/v0.3.1
https://github.com/openfga/openfga/security/advisories/GHSA-m3q4-7qmj-657m

History

Wed, 16 Apr 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-12-20T20:15:16.628Z

Updated: 2025-04-16T14:43:38.712Z

Reserved: 2022-01-19T21:23:53.796Z

Link: CVE-2022-23542

Vulnrichment

Updated: 2024-08-03T03:43:46.451Z

NVD

Status : Modified

Published: 2022-12-20T21:15:10.493

Modified: 2024-11-21T06:48:46.757

Link: CVE-2022-23542

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-23542", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2022-01-19T21:23:53.796Z", "datePublished": "2022-12-20T20:15:16.628Z", "dateUpdated": "2025-04-16T14:43:38.712Z"}, "containers": {"cna": {"title": "OpenFGA Authorization Bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "lang": "en", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/openfga/openfga/security/advisories/GHSA-m3q4-7qmj-657m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openfga/openfga/security/advisories/GHSA-m3q4-7qmj-657m"}, {"name": "https://github.com/openfga/openfga/pull/422", "tags": ["x_refsource_MISC"], "url": "https://github.com/openfga/openfga/pull/422"}, {"name": "https://github.com/openfga/openfga/releases/tag/v0.3.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/openfga/openfga/releases/tag/v0.3.1"}], "affected": [{"vendor": "openfga", "product": "openfga", "versions": [{"version": "= 0.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-12-20T20:15:16.628Z"}, "descriptions": [{"lang": "en", "value": "OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. During an internal security assessment, it was discovered that OpenFGA version 0.3.0 is vulnerable to authorization bypass under certain conditions. This issue has been patched in version 0.3.1 and is backward compatible.\n\n"}], "source": {"advisory": "GHSA-m3q4-7qmj-657m", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:43:46.451Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/openfga/openfga/security/advisories/GHSA-m3q4-7qmj-657m", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/openfga/openfga/security/advisories/GHSA-m3q4-7qmj-657m"}, {"name": "https://github.com/openfga/openfga/pull/422", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/openfga/openfga/pull/422"}, {"name": "https://github.com/openfga/openfga/releases/tag/v0.3.1", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/openfga/openfga/releases/tag/v0.3.1"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-16T14:43:26.471806Z", "id": "CVE-2022-23542", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-16T14:43:38.712Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/openfga/openfga/security/advisories/GHSA-m3q4-7qmj-657m", "name": "https://github.com/openfga/openfga/security/advisories/GHSA-m3q4-7qmj-657m", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/openfga/openfga/pull/422", "name": "https://github.com/openfga/openfga/pull/422", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/openfga/openfga/releases/tag/v0.3.1", "name": "https://github.com/openfga/openfga/releases/tag/v0.3.1", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:43:46.451Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-23542", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-16T14:43:26.471806Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-16T14:43:32.412Z"}}], "cna": {"title": "OpenFGA Authorization Bypass", "source": {"advisory": "GHSA-m3q4-7qmj-657m", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "openfga", "product": "openfga", "versions": [{"status": "affected", "version": "= 0.3.0"}]}], "references": [{"url": "https://github.com/openfga/openfga/security/advisories/GHSA-m3q4-7qmj-657m", "name": "https://github.com/openfga/openfga/security/advisories/GHSA-m3q4-7qmj-657m", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/openfga/openfga/pull/422", "name": "https://github.com/openfga/openfga/pull/422", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/openfga/openfga/releases/tag/v0.3.1", "name": "https://github.com/openfga/openfga/releases/tag/v0.3.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. During an internal security assessment, it was discovered that OpenFGA version 0.3.0 is vulnerable to authorization bypass under certain conditions. This issue has been patched in version 0.3.1 and is backward compatible.\n\n"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285: Improper Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-12-20T20:15:16.628Z"}}}, "cveMetadata": {"cveId": "CVE-2022-23542", "state": "PUBLISHED", "dateUpdated": "2025-04-16T14:43:38.712Z", "dateReserved": "2022-01-19T21:23:53.796Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2022-12-20T20:15:16.628Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openfga:openfga:*:*:*:*:*:*:*:*", "matchCriteriaId": "83D51F01-FDB6-48DB-BD8F-88EE6A5CE24B", "versionEndExcluding": "0.3.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. During an internal security assessment, it was discovered that OpenFGA version 0.3.0 is vulnerable to authorization bypass under certain conditions. This issue has been patched in version 0.3.1 and is backward compatible.\n\n"}, {"lang": "es", "value": "OpenFGA es un motor de autorizaci\u00f3n/permisos creado para desarrolladores e inspirado en Google Zanzibar. Durante una evaluaci\u00f3n de seguridad interna, se descubri\u00f3 que la versi\u00f3n 0.3.0 de OpenFGA es vulnerable a la omisi\u00f3n de autorizaci\u00f3n bajo ciertas condiciones. Este problema se solucion\u00f3 en la versi\u00f3n 0.3.1 y es compatible con versiones anteriores."}], "id": "CVE-2022-23542", "lastModified": "2024-11-21T06:48:46.757", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-12-20T21:15:10.493", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/openfga/openfga/pull/422"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/openfga/openfga/releases/tag/v0.3.1"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/openfga/openfga/security/advisories/GHSA-m3q4-7qmj-657m"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/openfga/openfga/pull/422"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/openfga/openfga/releases/tag/v0.3.1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/openfga/openfga/security/advisories/GHSA-m3q4-7qmj-657m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "security-advisories@github.com", "type": "Secondary"}]}