Miparnisari

**Name of the Vulnerable Software and Affected Versions** SpiceDB versions prior to 1.44.2 **Description** The issue affects SpiceDB, an open source database for storing and querying fine-grained authorization data. On schemas involving arrows with caveats on the arrow'ed relation, when the path to resolve a CheckPermission request involves the evaluation of multiple caveated branches, requests may return a negative response when a positive response is expected. **Recommendations** For versions prior to 1.44.2, update to version 1.44.2 to resolve the issue. As a temporary workaround, do not use caveats in the schema over an arrow'ed relation.

**Name of the Vulnerable Software and Affected Versions** OpenFGA versions 1.3.8 through 1.8.2 **Description** The issue concerns an authorization bypass in OpenFGA under specific conditions, including calling Check API or ListObjects with a model that uses `conditions`, and OpenFGA being configured with caching enabled (`OPENFGA CHECK QUERY CACHE ENABLED`). This occurs when Check API or ListObjects API calls contain `contextual tuples` that include `conditions`. **Recommendations** For OpenFGA versions 1.3.8 through 1.8.2, upgrade to version 1.8.3, as this upgrade is backwards compatible. As a temporary workaround, consider disabling caching by setting `OPENFGA CHECK QUERY CACHE ENABLED` to false until the upgrade to version 1.8.3 is possible. Avoid using `conditions` in models for Check API or ListObjects calls, and avoid using `contextual tuples` that include `conditions` in these API calls until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** OpenFGA versions 1.5.0 through 1.5.2 **Description** The issue concerns an authorization bypass when calling Check or ListObjects APIs in OpenFGA. Users are likely affected if their model involves exclusion (e.g., `a but not b`) or intersection (e.g., `a and b`), particularly if there are cyclical relationships. **Recommendations** Update to version 1.5.3 to resolve the issue. As a temporary workaround, consider restricting the use of exclusion and intersection models, especially those with cyclical relationships, until the update is applied.

**Name of the Vulnerable Software and Affected Versions** OpenFGA versions prior to 1.4.3 **Description** OpenFGA, an authorization/permission engine, is vulnerable to a denial of service attack. In some scenarios that depend on the model and tuples used, a call to `ListObjects` may not release memory properly. When a sufficiently high number of those calls are executed, the OpenFGA server can create an "out of memory" error and terminate. **Recommendations** Upgrade to version 1.4.3, as this upgrade is backwards compatible and contains a patch for the issue. As a temporary workaround, consider restricting the number of calls to `ListObjects` to minimize the risk of exploitation.