Samyghannad

**Name of the Vulnerable Software and Affected Versions** etcd versions prior to 3.4.44 etcd versions prior to 3.5.30 etcd versions prior to 3.6.11 **Description** etcd is a distributed key-value store for distributed system data. A flaw allows authenticated users without sufficient read or lease-related permissions to bypass Role-Based Access Control (RBAC) authorization checks. This occurs when invoking transaction operations that utilize read access via `PrevKv` or lease attachment in 'Put' requests, potentially allowing unauthorized data access or lease attachment. **Recommendations** Update to version 3.4.44. Update to version 3.5.30. Update to version 3.6.11. Restrict network access to etcd server ports to ensure only trusted components can connect. Require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution.

**Name of the Vulnerable Software and Affected Versions** OpenFGA version 0.3.0 **Description** OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. During an internal security assessment, it was discovered that OpenFGA is vulnerable to authorization bypass under certain conditions. The issue occurs when a model using modeling language v1.1 applies a type restriction to an object, and then the model is updated by adding a new type and replacing the previous restriction. This can lead to unauthorized access. **Recommendations** For OpenFGA version 0.3.0, upgrade to version 0.3.1 to fix the authorization bypass issue. This update is backward compatible.

**Name of the Vulnerable Software and Affected Versions** OpenFGA versions prior to 0.2.5 **Description** OpenFGA is a high-performance authorization/permission engine inspired by Google Zanzibar. The issue allows for authorization bypass under certain conditions, specifically when a tuple with a wildcard (*) is assigned to a tupleset relation, which is the right-hand side of a 'from' statement. This affects authorization models that use wildcard on a tupleset relation. **Recommendations** Upgrade to version 0.2.5, noting that this update is not backward compatible with any authorization model that uses wildcard on a tupleset relation. If using tuples where the `user` field is set to a `userset` and the tuple's relation is used on the right-hand side of a `from` statement, these tuples will need to be rewritten.

**Name of the Vulnerable Software and Affected Versions** openfga/openfga versions 0.2.3 and prior **Description** OpenFGA is an authorization/permission engine. The `streamed-list-objects` endpoint was not validating the authorization header, resulting in disclosure of objects in the store. Users who are exposing the OpenFGA service to the internet are vulnerable. **Recommendations** For openfga/openfga versions 0.2.3 and prior, upgrade to version 0.2.4 to resolve the issue. As a temporary workaround, consider restricting access to the `streamed-list-objects` endpoint until the update is applied.

**Name of the Vulnerable Software and Affected Versions** OpenFGA versions prior to 0.2.4 **Description** OpenFGA is an authorization/permission engine. The issue allows for authorization bypass under certain conditions, specifically when users have a wildcard (`*`) defined on tupleset relations in their authorization model. **Recommendations** Upgrade to version 0.2.4 to resolve the issue. As a temporary workaround, consider restricting the use of wildcard (`*`) on tupleset relations in the authorization model until the update is applied.

**Name of the Vulnerable Software and Affected Versions** OpenFGA versions prior to 0.2.4 **Description** OpenFGA is an authorization/permission engine. The issue concerns authorization bypass under certain conditions, specifically when a relation is defined as a tupleset involving anything other than a direct relationship, such as 'as self'. **Recommendations** For versions prior to 0.2.4, upgrade to version 0.2.4 to resolve the issue. Note that this update is not backward compatible, and any model involving rewritten tupleset relations will need to be modified to be acceptable.