CVE-2024-23820 - OpenCVE

OpenFGA, an authorization/permission engine, is vulnerable to a denial of service attack in versions prior to 1.4.3. In some scenarios that depend on the model and tuples used, a call to `ListObjects` may not release memory properly. So when a sufficiently high number of those calls are executed, the OpenFGA server can create an `out of memory` error and terminate. Version 1.4.3 contains a patch for this issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Openfga	Openfga

Configuration 1 [-]

cpe:2.3:a:openfga:openfga:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/openfga/openfga/commit/908ac85c8b7769c8042cca31886df8db01976c39
https://github.com/openfga/openfga/releases/tag/v1.4.3
https://github.com/openfga/openfga/security/advisories/GHSA-rxpw-85vw-fx87

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-01-26T16:37:27.065Z

Updated: 2024-08-29T18:13:51.862Z

Reserved: 2024-01-22T22:23:54.337Z

Link: CVE-2024-23820

Vulnrichment

Updated: 2024-08-01T23:13:08.520Z

NVD

Status : Analyzed

Published: 2024-01-26T17:15:13.287

Modified: 2024-02-01T16:30:14.907

Link: CVE-2024-23820

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-23820", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-01-22T22:23:54.337Z", "datePublished": "2024-01-26T16:37:27.065Z", "dateUpdated": "2024-08-29T18:13:51.862Z"}, "containers": {"cna": {"title": "OpenFGA DoS", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/openfga/openfga/security/advisories/GHSA-rxpw-85vw-fx87", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openfga/openfga/security/advisories/GHSA-rxpw-85vw-fx87"}, {"name": "https://github.com/openfga/openfga/commit/908ac85c8b7769c8042cca31886df8db01976c39", "tags": ["x_refsource_MISC"], "url": "https://github.com/openfga/openfga/commit/908ac85c8b7769c8042cca31886df8db01976c39"}, {"name": "https://github.com/openfga/openfga/releases/tag/v1.4.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/openfga/openfga/releases/tag/v1.4.3"}], "affected": [{"vendor": "openfga", "product": "openfga", "versions": [{"version": "< 1.4.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-26T16:37:27.065Z"}, "descriptions": [{"lang": "en", "value": "OpenFGA, an authorization/permission engine, is vulnerable to a denial of service attack in versions prior to 1.4.3. In some scenarios that depend on the model and tuples used, a call to `ListObjects` may not release memory properly. So when a sufficiently high number of those calls are executed, the OpenFGA server can create an `out of memory` error and terminate. Version 1.4.3 contains a patch for this issue."}], "source": {"advisory": "GHSA-rxpw-85vw-fx87", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:13:08.520Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/openfga/openfga/security/advisories/GHSA-rxpw-85vw-fx87", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/openfga/openfga/security/advisories/GHSA-rxpw-85vw-fx87"}, {"name": "https://github.com/openfga/openfga/commit/908ac85c8b7769c8042cca31886df8db01976c39", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/openfga/openfga/commit/908ac85c8b7769c8042cca31886df8db01976c39"}, {"name": "https://github.com/openfga/openfga/releases/tag/v1.4.3", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/openfga/openfga/releases/tag/v1.4.3"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-29T18:11:56.692244Z", "id": "CVE-2024-23820", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-29T18:13:51.862Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/openfga/openfga/security/advisories/GHSA-rxpw-85vw-fx87", "name": "https://github.com/openfga/openfga/security/advisories/GHSA-rxpw-85vw-fx87", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/openfga/openfga/commit/908ac85c8b7769c8042cca31886df8db01976c39", "name": "https://github.com/openfga/openfga/commit/908ac85c8b7769c8042cca31886df8db01976c39", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/openfga/openfga/releases/tag/v1.4.3", "name": "https://github.com/openfga/openfga/releases/tag/v1.4.3", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:13:08.520Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-23820", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-29T18:11:56.692244Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-29T18:13:26.969Z"}}], "cna": {"title": "OpenFGA DoS", "source": {"advisory": "GHSA-rxpw-85vw-fx87", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "openfga", "product": "openfga", "versions": [{"status": "affected", "version": "< 1.4.3"}]}], "references": [{"url": "https://github.com/openfga/openfga/security/advisories/GHSA-rxpw-85vw-fx87", "name": "https://github.com/openfga/openfga/security/advisories/GHSA-rxpw-85vw-fx87", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/openfga/openfga/commit/908ac85c8b7769c8042cca31886df8db01976c39", "name": "https://github.com/openfga/openfga/commit/908ac85c8b7769c8042cca31886df8db01976c39", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/openfga/openfga/releases/tag/v1.4.3", "name": "https://github.com/openfga/openfga/releases/tag/v1.4.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenFGA, an authorization/permission engine, is vulnerable to a denial of service attack in versions prior to 1.4.3. In some scenarios that depend on the model and tuples used, a call to `ListObjects` may not release memory properly. So when a sufficiently high number of those calls are executed, the OpenFGA server can create an `out of memory` error and terminate. Version 1.4.3 contains a patch for this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-26T16:37:27.065Z"}}}, "cveMetadata": {"cveId": "CVE-2024-23820", "state": "PUBLISHED", "dateUpdated": "2024-08-29T18:13:51.862Z", "dateReserved": "2024-01-22T22:23:54.337Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-01-26T16:37:27.065Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openfga:openfga:*:*:*:*:*:*:*:*", "matchCriteriaId": "C2F9E0AB-95A2-438B-ABA0-67EECF03D0C7", "versionEndExcluding": "1.4.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenFGA, an authorization/permission engine, is vulnerable to a denial of service attack in versions prior to 1.4.3. In some scenarios that depend on the model and tuples used, a call to `ListObjects` may not release memory properly. So when a sufficiently high number of those calls are executed, the OpenFGA server can create an `out of memory` error and terminate. Version 1.4.3 contains a patch for this issue."}, {"lang": "es", "value": "OpenFGA, un motor de autorizaci\u00f3n/permisos, es vulnerable a un ataque de denegaci\u00f3n de servicio en versiones anteriores a la 1.4.3. En algunos escenarios que dependen del modelo y las tuplas utilizadas, es posible que una llamada a `ListObjects` no libere memoria correctamente. Entonces, cuando se ejecuta una cantidad suficientemente alta de esas llamadas, el servidor OpenFGA puede crear un error de \"memoria insuficiente\" y finalizar. La versi\u00f3n 1.4.3 contiene un parche para este problema."}], "id": "CVE-2024-23820", "lastModified": "2024-02-01T16:30:14.907", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-01-26T17:15:13.287", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/openfga/openfga/commit/908ac85c8b7769c8042cca31886df8db01976c39"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/openfga/openfga/releases/tag/v1.4.3"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/openfga/openfga/security/advisories/GHSA-rxpw-85vw-fx87"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Secondary"}]}