CVE-2024-8260

Name of the Vulnerable Software and Affected Versions: OPA for Windows versions prior to 0.68.0

Description: A SMB force-authentication vulnerability exists due to improper input validation, allowing a user to pass an arbitrary SMB share instead of a Rego file as an argument to OPA CLI or to one of the OPA Go library’s functions. This vulnerability could expose NTLM credentials to attackers, who can exploit it to relay authentication. The issue reinforces the need for stringent input validation across all applications. The vulnerability is being actively exploited.

Recommendations: For OPA for Windows versions prior to 0.68.0, update to version 0.68.0 or later to resolve the issue. As a temporary workaround, consider restricting input validation to prevent passing arbitrary SMB shares as arguments to OPA CLI or the OPA Go library’s functions.