Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

x/vulndb: potential Go vuln in github.com/openfga/openfga: GHSA-m3q4-7qmj-657m #1177

Closed
GoVulnBot opened this issue Dec 20, 2022 · 1 comment
Assignees

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-m3q4-7qmj-657m, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/openfga/openfga 0.3.1 = 0.3.0

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: TODO
    versions:
      - introduced: TODO (earliest fixed "0.3.1", vuln range "= 0.3.0")
    packages:
      - package: github.com/openfga/openfga
description: |-
    ### Overview
    During our internal security assessment, it was discovered that OpenFGA versions v0.3.0 is vulnerable to authorization bypass under certain conditions.

    ### Am I Affected?
    You are affected by this vulnerability if **all** of the following applies:

    1.  You are using OpenFGA v0.3.0
    2. You created a model using modeling language v1.1 that applies a type restriction to an object e.g. `define viewer: [user]`
    3. You created tuples based on the aforementioned model, e.g. `document:1#viewer@user:jon`
    4. You updated the previous model by adding a new type and replacing the previous restriction with the newly added type e.g. `define viewer: [employee]`
    5. You use the tuples created against the first model (step 3) and issue checks against the updated model e.g. `user=user:jon, relation=viewer, object:document:1`

    ### How to fix that?
    Upgrade to version v0.3.1

    ### Backward Compatibility
    This update is backward compatible.
cves:
  - CVE-2022-23542
ghsas:
  - GHSA-m3q4-7qmj-657m

@timothy-king timothy-king self-assigned this Dec 20, 2022
@timothy-king
Copy link
Contributor

Duplicate of #1179

@timothy-king timothy-king marked this as a duplicate of #1179 Dec 20, 2022
# for free to join this conversation on GitHub. Already have an account? # to comment
Projects
None yet
Development

No branches or pull requests

2 participants