PT-2024-29969 · Openfga · Openfga

Sidneibjunior

Published

2024-08-09

Updated

2024-10-01

CVE-2024-42473

CVSS v4.0

8.2

High

Vector

AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions OpenFGA versions 1.5.7 through 1.5.8

Description OpenFGA is an authorization/permission engine. The issue concerns an authorization bypass when calling the Check API with a model that uses but not and from expressions and a userset.

Recommendations For OpenFGA versions 1.5.7 and 1.5.8, downgrade to v1.5.6 as soon as possible, as this downgrade is backward compatible. If you are using OpenFGA within Docker or as a Go library, as a binary, or through Docker, upgrade to v1.5.9 as soon as possible. If using Helm chart, upgrade to 0.2.12 as soon as possible.

Exploit

Fix

Incorrect Authorization

Improper Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863CWE-285

Related Identifiers

CVE-2024-42473

GHSA-3F6G-M4HR-59H8

GO-2024-3061

Affected Products

Openfga

PT-2024-29969 · Openfga · Openfga

CVE-2024-42473

Weakness Enumeration

Related Identifiers

Affected Products

References · 11