CVE-2022-39342 - OpenCVE

OpenFGA is an authorization/permission engine. Versions prior to version 0.2.4 are vulnerable to authorization bypass under certain conditions. Users whose model has a relation defined as a tupleset (the right hand side of a ‘from’ statement) that involves anything other than a direct relationship (e.g. ‘as self’) are vulnerable. Version 0.2.4 contains a patch for this issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Openfga	Openfga

Configuration 1 [-]

cpe:2.3:a:openfga:openfga:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/openfga/openfga/commit/c8db1ee3d2a366f18e585dd33236340e76e784c4
https://github.com/openfga/openfga/releases/tag/v0.2.4
https://github.com/openfga/openfga/security/advisories/GHSA-f4mm-2r69-mg5f

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-10-25T00:00:00

Updated: 2024-08-03T12:00:44.105Z

Reserved: 2022-09-02T00:00:00

Link: CVE-2022-39342

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-10-25T17:15:56.333

Modified: 2023-11-07T03:50:26.957

Link: CVE-2022-39342

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-39342", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "dateUpdated": "2024-08-03T12:00:44.105Z", "dateReserved": "2022-09-02T00:00:00", "datePublished": "2022-10-25T00:00:00"}, "containers": {"cna": {"title": "OpenFGA Authorization Bypass", "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-10-25T00:00:00"}, "descriptions": [{"lang": "en", "value": "OpenFGA is an authorization/permission engine. Versions prior to version 0.2.4 are vulnerable to authorization bypass under certain conditions. Users whose model has a relation defined as a tupleset (the right hand side of a \u2018from\u2019 statement) that involves anything other than a direct relationship (e.g. \u2018as self\u2019) are vulnerable. Version 0.2.4 contains a patch for this issue."}], "affected": [{"vendor": "openfga", "product": "openfga", "versions": [{"version": "< 0.2.4", "status": "affected"}]}], "references": [{"url": "https://github.com/openfga/openfga/security/advisories/GHSA-f4mm-2r69-mg5f"}, {"url": "https://github.com/openfga/openfga/commit/c8db1ee3d2a366f18e585dd33236340e76e784c4"}, {"url": "https://github.com/openfga/openfga/releases/tag/v0.2.4"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-285: Improper Authorization", "cweId": "CWE-285"}]}], "source": {"advisory": "GHSA-f4mm-2r69-mg5f", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:00:44.105Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/openfga/openfga/security/advisories/GHSA-f4mm-2r69-mg5f", "tags": ["x_transferred"]}, {"url": "https://github.com/openfga/openfga/commit/c8db1ee3d2a366f18e585dd33236340e76e784c4", "tags": ["x_transferred"]}, {"url": "https://github.com/openfga/openfga/releases/tag/v0.2.4", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openfga:openfga:*:*:*:*:*:*:*:*", "matchCriteriaId": "6C8497C4-6109-40A8-AA89-E20BF94EB4C2", "versionEndExcluding": "0.2.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenFGA is an authorization/permission engine. Versions prior to version 0.2.4 are vulnerable to authorization bypass under certain conditions. Users whose model has a relation defined as a tupleset (the right hand side of a \u2018from\u2019 statement) that involves anything other than a direct relationship (e.g. \u2018as self\u2019) are vulnerable. Version 0.2.4 contains a patch for this issue."}, {"lang": "es", "value": "OpenFGA es un motor de autorizaci\u00f3n/permiso. Las versiones anteriores a 0.2.4 son vulnerables a la omisi\u00f3n de la autorizaci\u00f3n bajo determinadas condiciones. Los usuarios cuyo modelo presenta una relaci\u00f3n definida como un conjunto de tuplas (el lado derecho de una declaraci\u00f3n \"from\") que implica cualquier cosa que no sea una relaci\u00f3n directa (por ejemplo, \"as self\") son vulnerables. La versi\u00f3n 0.2.4 contiene un parche para este problema"}], "id": "CVE-2022-39342", "lastModified": "2023-11-07T03:50:26.957", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-10-25T17:15:56.333", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/openfga/openfga/commit/c8db1ee3d2a366f18e585dd33236340e76e784c4"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/openfga/openfga/releases/tag/v0.2.4"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/openfga/openfga/security/advisories/GHSA-f4mm-2r69-mg5f"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-285"}], "source": "security-advisories@github.com", "type": "Secondary"}]}