Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2023-40579 #2029

Closed
GoVulnBot opened this issue Aug 25, 2023 · 1 comment

Comments

@GoVulnBot
Copy link

CVE-2023-40579 references github.com/openfga/openfga, which may be a Go module.

Description:
OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. Some end users of OpenFGA v1.3.0 or earlier are vulnerable to authorization bypass when calling the ListObjects API. The vulnerability affects customers using ListObjects with specific models. The affected models contain expressions of type rel1 from type1. This issue has been patched in version 1.3.1.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/openfga/openfga
      vulnerable_at: 1.3.1
      packages:
        - package: openfga
description: |-
    OpenFGA is an authorization/permission engine built for developers and inspired
    by Google Zanzibar. Some end users of OpenFGA v1.3.0 or earlier are vulnerable
    to authorization bypass when calling the ListObjects API. The vulnerability
    affects customers using `ListObjects` with specific models. The affected models
    contain expressions of type `rel1 from type1`. This issue has been patched in
    version 1.3.1.
cves:
    - CVE-2023-40579
references:
    - advisory: https://github.com/openfga/openfga/security/advisories/GHSA-jcf2-mxr2-gmqp
    - web: https://github.com/openfga/openfga/releases/tag/v1.3.1

@tatianab
Copy link
Contributor

Duplicate of #2028

@tatianab tatianab marked this as a duplicate of #2028 Aug 30, 2023
# for free to join this conversation on GitHub. Already have an account? # to comment
Projects
None yet
Development

No branches or pull requests

2 participants