{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-40627", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-07-08T16:13:15.510Z", "datePublished": "2024-07-15T19:21:40.298Z", "dateUpdated": "2024-08-02T04:33:11.894Z"}, "containers": {"cna": {"title": "OpaMiddleware does not filter HTTP OPTIONS requests", "problemTypes": [{"descriptions": [{"cweId": "CWE-204", "lang": "en", "description": "CWE-204: Observable Response Discrepancy", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/busykoala/fastapi-opa/security/advisories/GHSA-5f5c-8rvc-j8wf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/busykoala/fastapi-opa/security/advisories/GHSA-5f5c-8rvc-j8wf"}, {"name": "https://github.com/busykoala/fastapi-opa/commit/9588109ff651f7ffc92687129c4956126443fb8c", "tags": ["x_refsource_MISC"], "url": "https://github.com/busykoala/fastapi-opa/commit/9588109ff651f7ffc92687129c4956126443fb8c"}, {"name": "https://github.com/busykoala/fastapi-opa/blob/6dd6f8c87e908fe080784a74707f016f1422b58a/fastapi_opa/opa/opa_middleware.py#L79-L80", "tags": ["x_refsource_MISC"], "url": "https://github.com/busykoala/fastapi-opa/blob/6dd6f8c87e908fe080784a74707f016f1422b58a/fastapi_opa/opa/opa_middleware.py#L79-L80"}], "affected": [{"vendor": "busykoala", "product": "fastapi-opa", "versions": [{"version": "< 2.0.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-15T19:21:40.298Z"}, "descriptions": [{"lang": "en", "value": "Fastapi OPA is an opensource fastapi middleware which includes auth flow. HTTP `OPTIONS` requests are always allowed by `OpaMiddleware`, even when they lack authentication, and are passed through directly to the application. `OpaMiddleware` allows all HTTP `OPTIONS` requests without evaluating it against any policy. If an application provides different responses to HTTP `OPTIONS` requests based on an entity existing (such as to indicate whether an entity is writable on a system level), an unauthenticated attacker could discover which entities exist within an application. This issue has been addressed in release version 2.0.1. All users are advised to upgrade. There are no known workarounds for this vulnerability."}], "source": {"advisory": "GHSA-5f5c-8rvc-j8wf", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "busykoala", "product": "fastapi-opa", "cpes": ["cpe:2.3:a:busykoala:fastapi-opa:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "2.0.1", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-15T20:03:55.852372Z", "id": "CVE-2024-40627", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-15T20:13:48.807Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:33:11.894Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/busykoala/fastapi-opa/security/advisories/GHSA-5f5c-8rvc-j8wf", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/busykoala/fastapi-opa/security/advisories/GHSA-5f5c-8rvc-j8wf"}, {"name": "https://github.com/busykoala/fastapi-opa/commit/9588109ff651f7ffc92687129c4956126443fb8c", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/busykoala/fastapi-opa/commit/9588109ff651f7ffc92687129c4956126443fb8c"}, {"name": "https://github.com/busykoala/fastapi-opa/blob/6dd6f8c87e908fe080784a74707f016f1422b58a/fastapi_opa/opa/opa_middleware.py#L79-L80", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/busykoala/fastapi-opa/blob/6dd6f8c87e908fe080784a74707f016f1422b58a/fastapi_opa/opa/opa_middleware.py#L79-L80"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-40627", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-15T20:03:55.852372Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:busykoala:fastapi-opa:*:*:*:*:*:*:*:*"], "vendor": "busykoala", "product": "fastapi-opa", "versions": [{"status": "affected", "version": "0", "lessThan": "2.0.1", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-15T20:13:44.535Z"}}], "cna": {"title": "OpaMiddleware does not filter HTTP OPTIONS requests", "source": {"advisory": "GHSA-5f5c-8rvc-j8wf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "busykoala", "product": "fastapi-opa", "versions": [{"status": "affected", "version": "< 2.0.1"}]}], "references": [{"url": "https://github.com/busykoala/fastapi-opa/security/advisories/GHSA-5f5c-8rvc-j8wf", "name": "https://github.com/busykoala/fastapi-opa/security/advisories/GHSA-5f5c-8rvc-j8wf", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/busykoala/fastapi-opa/commit/9588109ff651f7ffc92687129c4956126443fb8c", "name": "https://github.com/busykoala/fastapi-opa/commit/9588109ff651f7ffc92687129c4956126443fb8c", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/busykoala/fastapi-opa/blob/6dd6f8c87e908fe080784a74707f016f1422b58a/fastapi_opa/opa/opa_middleware.py#L79-L80", "name": "https://github.com/busykoala/fastapi-opa/blob/6dd6f8c87e908fe080784a74707f016f1422b58a/fastapi_opa/opa/opa_middleware.py#L79-L80", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Fastapi OPA is an opensource fastapi middleware which includes auth flow. HTTP `OPTIONS` requests are always allowed by `OpaMiddleware`, even when they lack authentication, and are passed through directly to the application. `OpaMiddleware` allows all HTTP `OPTIONS` requests without evaluating it against any policy. If an application provides different responses to HTTP `OPTIONS` requests based on an entity existing (such as to indicate whether an entity is writable on a system level), an unauthenticated attacker could discover which entities exist within an application. This issue has been addressed in release version 2.0.1. All users are advised to upgrade. There are no known workarounds for this vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-204", "description": "CWE-204: Observable Response Discrepancy"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-15T19:21:40.298Z"}}}, "cveMetadata": {"cveId": "CVE-2024-40627", "state": "PUBLISHED", "dateUpdated": "2024-07-15T20:13:48.807Z", "dateReserved": "2024-07-08T16:13:15.510Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-07-15T19:21:40.298Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Fastapi OPA is an opensource fastapi middleware which includes auth flow. HTTP `OPTIONS` requests are always allowed by `OpaMiddleware`, even when they lack authentication, and are passed through directly to the application. `OpaMiddleware` allows all HTTP `OPTIONS` requests without evaluating it against any policy. If an application provides different responses to HTTP `OPTIONS` requests based on an entity existing (such as to indicate whether an entity is writable on a system level), an unauthenticated attacker could discover which entities exist within an application. This issue has been addressed in release version 2.0.1. All users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "Fastapi OPA es un middleware fastapi de c\u00f3digo abierto que incluye flujo de autenticaci\u00f3n. Las solicitudes HTTP `OPCIONES` siempre son permitidas por `OpaMiddleware`, incluso cuando carecen de autenticaci\u00f3n, y se pasan directamente a la aplicaci\u00f3n. `OpaMiddleware` permite todas las solicitudes HTTP de `OPCIONES` sin evaluarlas con respecto a ninguna pol\u00edtica. Si una aplicaci\u00f3n proporciona diferentes respuestas a las solicitudes HTTP \"OPCIONES\" basadas en una entidad existente (por ejemplo, para indicar si se puede escribir en una entidad a nivel del sistema), un atacante no autenticado podr\u00eda descubrir qu\u00e9 entidades existen dentro de una aplicaci\u00f3n. Este problema se solucion\u00f3 en la versi\u00f3n 2.0.1. Se recomienda a todos los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "id": "CVE-2024-40627", "lastModified": "2024-07-16T13:43:58.773", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-07-15T20:15:05.033", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/busykoala/fastapi-opa/blob/6dd6f8c87e908fe080784a74707f016f1422b58a/fastapi_opa/opa/opa_middleware.py#L79-L80"}, {"source": "security-advisories@github.com", "url": "https://github.com/busykoala/fastapi-opa/commit/9588109ff651f7ffc92687129c4956126443fb8c"}, {"source": "security-advisories@github.com", "url": "https://github.com/busykoala/fastapi-opa/security/advisories/GHSA-5f5c-8rvc-j8wf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-204"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}