CVE-2022-39340

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions openfga/openfga versions 0.2.3 and prior

Description OpenFGA is an authorization/permission engine. The streamed-list-objects endpoint was not validating the authorization header, resulting in disclosure of objects in the store. Users who are exposing the OpenFGA service to the internet are vulnerable.

Recommendations For openfga/openfga versions 0.2.3 and prior, upgrade to version 0.2.4 to resolve the issue. As a temporary workaround, consider restricting access to the streamed-list-objects endpoint until the update is applied.

Exploit

Fix

Improper Authorization

Missing Authorization

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-285CWE-862CWE-863

Related Identifiers

CVE-2022-39340

GHSA-95X7-MH78-7W2R

GO-2022-1079

Affected Products

Openfga

CVE-2022-39340

Weakness Enumeration

Related Identifiers

Affected Products

References · 11