-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2022-39340 #1079
Labels
excluded: EFFECTIVELY_PRIVATE
This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Comments
timothy-king
added
excluded: EFFECTIVELY_PRIVATE
This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
and removed
NeedsTriage
labels
Oct 26, 2022
Change https://go.dev/cl/446359 mentions this issue: |
This was referenced Aug 25, 2023
Closed
Change https://go.dev/cl/592774 mentions this issue: |
This was referenced Aug 9, 2024
Closed
Change https://go.dev/cl/607231 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Aug 21, 2024
- data/reports/GO-2022-1079.yaml - data/reports/GO-2022-1080.yaml - data/reports/GO-2022-1081.yaml - data/reports/GO-2022-1089.yaml - data/reports/GO-2022-1099.yaml - data/reports/GO-2022-1100.yaml - data/reports/GO-2022-1105.yaml - data/reports/GO-2022-1106.yaml - data/reports/GO-2022-1107.yaml - data/reports/GO-2022-1119.yaml - data/reports/GO-2022-1120.yaml - data/reports/GO-2022-1121.yaml - data/reports/GO-2022-1132.yaml - data/reports/GO-2022-1135.yaml - data/reports/GO-2022-1138.yaml - data/reports/GO-2022-1147.yaml - data/reports/GO-2022-1151.yaml - data/reports/GO-2022-1152.yaml - data/reports/GO-2022-1153.yaml - data/reports/GO-2022-1154.yaml Updates #1079 Updates #1080 Updates #1081 Updates #1089 Updates #1099 Updates #1100 Updates #1105 Updates #1106 Updates #1107 Updates #1119 Updates #1120 Updates #1121 Updates #1132 Updates #1135 Updates #1138 Updates #1147 Updates #1151 Updates #1152 Updates #1153 Updates #1154 Change-Id: Ice57e62cbaec73a848639ed6de50434eac91a368 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/607231 Reviewed-by: Damien Neil <dneil@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Tatiana Bradley <tatianabradley@google.com> Commit-Queue: Tatiana Bradley <tatianabradley@google.com>
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Labels
excluded: EFFECTIVELY_PRIVATE
This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
CVE-2022-39340 references github.com/openfga/openfga, which may be a Go module.
Description:
OpenFGA is an authorization/permission engine. Prior to version 0.2.4, the
streamed-list-objects
endpoint was not validating the authorization header, resulting in disclosure of objects in the store. Usersopenfga/openfga
versions 0.2.3 and prior who are exposing the OpenFGA service to the internet are vulnerable. Version 0.2.4 contains a patch for this issue.References:
See doc/triage.md for instructions on how to triage this report.
The text was updated successfully, but these errors were encountered: