You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Cross references:
No existing reports found with this module or alias.
See doc/triage.md for instructions on how to triage this report.
modules:
- module: TODO
versions:
- introduced: TODO (earliest fixed "0.3.1", vuln range "= 0.3.0")
packages:
- package: github.com/openfga/openfga
description: |-
### Overview
During our internal security assessment, it was discovered that OpenFGA versions v0.3.0 is vulnerable to authorization bypass under certain conditions.
### Am I Affected?
You are affected by this vulnerability if **all** of the following applies:
1. You are using OpenFGA v0.3.0
2. You created a model using modeling language v1.1 that applies a type restriction to an object e.g. `define viewer: [user]`
3. You created tuples based on the aforementioned model, e.g. `document:1#viewer@user:jon`
4. You updated the previous model by adding a new type and replacing the previous restriction with the newly added type e.g. `define viewer: [employee]`
5. You use the tuples created against the first model (step 3) and issue checks against the updated model e.g. `user=user:jon, relation=viewer, object:document:1`
### How to fix that?
Upgrade to version v0.3.1
### Backward Compatibility
This update is backward compatible.
cves:
- CVE-2022-23542
ghsas:
- GHSA-m3q4-7qmj-657m
The text was updated successfully, but these errors were encountered:
In GitHub Security Advisory GHSA-m3q4-7qmj-657m, there is a vulnerability in the following Go packages or modules:
Cross references:
No existing reports found with this module or alias.
See doc/triage.md for instructions on how to triage this report.
The text was updated successfully, but these errors were encountered: