PT-2022-16142 · Open Policy Agent · Open Policy Agent

Johanneslarsson

Published

2022-02-09

Updated

2022-07-27

CVE-2022-23628

CVSS v3.1

6.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Name of the Vulnerable Software and Affected Versions Open Policy Agent (OPA) versions prior to 0.37.2

Description Pretty-printing an abstract syntax tree (AST) that contains synthetic nodes can change the logic of some statements by reordering array literals. This issue affects policies that parse and compare web paths. Three conditions must be met to create an adverse effect:

An AST of Rego had to be created programmatically such that it ends up containing terms without a location (such as wildcard variables).
The AST had to be pretty-printed using the github.com/open-policy-agent/opa/format package.
The result of the pretty-printing had to be parsed and evaluated again via an OPA instance using the bundles, or the Golang packages. Notably, all three conditions would be true if using optimized bundles, i.e., bundles created with opa build -O=1 or higher.

Recommendations To resolve the issue, update to version 0.37.2 or later. As a temporary workaround, consider disabling optimization when creating bundles by not using the -O=1 flag or higher with the opa build command.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-682

Related Identifiers

CVE-2022-23628

GHSA-HCW3-J74M-QC58

GO-2022-0316

Affected Products

Open Policy Agent

PT-2022-16142 · Open Policy Agent · Open Policy Agent

CVE-2022-23628

Weakness Enumeration

Related Identifiers

Affected Products

References · 13