CVE-2024-40627

Name of the Vulnerable Software and Affected Versions Fastapi OPA versions prior to 2.0.1

Description The issue allows unauthenticated attackers to discover which entities exist within an application by sending HTTP OPTIONS requests. This is because OpaMiddleware allows all HTTP OPTIONS requests without evaluating them against any policy. If an application provides different responses to HTTP OPTIONS requests based on an entity existing, an attacker could exploit this to gain information about the application's internal state.

Recommendations For versions prior to 2.0.1, upgrade to release version 2.0.1 to address the issue. As a temporary workaround, consider restricting access to the read item options function or modifying the application to not provide different responses to HTTP OPTIONS requests based on entity existence. Avoid using the Allow header in the read item options function to indicate entity writability until the issue is resolved.