PT-2024-20102 · Openfga · Openfga

Miparnisari

Published

2024-01-26

Updated

2024-06-28

CVE-2024-23820

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions OpenFGA versions prior to 1.4.3

Description OpenFGA, an authorization/permission engine, is vulnerable to a denial of service attack. In some scenarios that depend on the model and tuples used, a call to ListObjects may not release memory properly. When a sufficiently high number of those calls are executed, the OpenFGA server can create an "out of memory" error and terminate.

Recommendations Upgrade to version 1.4.3, as this upgrade is backwards compatible and contains a patch for the issue. As a temporary workaround, consider restricting the number of calls to ListObjects to minimize the risk of exploitation.

Exploit

Fix

Memory Leak

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-401CWE-770

Related Identifiers

CVE-2024-23820

GHSA-RXPW-85VW-FX87

GO-2024-2477

Affected Products

Openfga

PT-2024-20102 · Openfga · Openfga

CVE-2024-23820

Weakness Enumeration

Related Identifiers

Affected Products

References · 11