-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2022-39352 #1099
Labels
excluded: EFFECTIVELY_PRIVATE
This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Comments
zpavlinovic
added
the
excluded: EFFECTIVELY_PRIVATE
This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
label
Nov 8, 2022
Change https://go.dev/cl/448815 mentions this issue: |
This was referenced Aug 25, 2023
Closed
Change https://go.dev/cl/592835 mentions this issue: |
This was referenced Aug 9, 2024
Closed
Change https://go.dev/cl/607231 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Aug 21, 2024
- data/reports/GO-2022-1079.yaml - data/reports/GO-2022-1080.yaml - data/reports/GO-2022-1081.yaml - data/reports/GO-2022-1089.yaml - data/reports/GO-2022-1099.yaml - data/reports/GO-2022-1100.yaml - data/reports/GO-2022-1105.yaml - data/reports/GO-2022-1106.yaml - data/reports/GO-2022-1107.yaml - data/reports/GO-2022-1119.yaml - data/reports/GO-2022-1120.yaml - data/reports/GO-2022-1121.yaml - data/reports/GO-2022-1132.yaml - data/reports/GO-2022-1135.yaml - data/reports/GO-2022-1138.yaml - data/reports/GO-2022-1147.yaml - data/reports/GO-2022-1151.yaml - data/reports/GO-2022-1152.yaml - data/reports/GO-2022-1153.yaml - data/reports/GO-2022-1154.yaml Updates #1079 Updates #1080 Updates #1081 Updates #1089 Updates #1099 Updates #1100 Updates #1105 Updates #1106 Updates #1107 Updates #1119 Updates #1120 Updates #1121 Updates #1132 Updates #1135 Updates #1138 Updates #1147 Updates #1151 Updates #1152 Updates #1153 Updates #1154 Change-Id: Ice57e62cbaec73a848639ed6de50434eac91a368 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/607231 Reviewed-by: Damien Neil <dneil@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Tatiana Bradley <tatianabradley@google.com> Commit-Queue: Tatiana Bradley <tatianabradley@google.com>
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Labels
excluded: EFFECTIVELY_PRIVATE
This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
CVE-2022-39352 references github.com/openfga/openfga, which may be a Go module.
Description:
OpenFGA is a high-performance authorization/permission engine inspired by Google Zanzibar. Versions prior to 0.2.5 are vulnerable to authorization bypass under certain conditions. You are affected by this vulnerability if you added a tuple with a wildcard (*) assigned to a tupleset relation (the right hand side of a ‘from’ statement). This issue has been patched in version v0.2.5. This update is not backward compatible with any authorization model that uses wildcard on a tupleset relation.
References:
See doc/triage.md for instructions on how to triage this report.
The text was updated successfully, but these errors were encountered: