Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2024-23820 #2477

Closed
GoVulnBot opened this issue Jan 26, 2024 · 2 comments
Assignees
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.

Comments

@GoVulnBot
Copy link

CVE-2024-23820 references github.com/openfga/openfga, which may be a Go module.

Description:
OpenFGA, an authorization/permission engine, is vulnerable to a denial of service attack in versions prior to 1.4.3. In some scenarios that depend on the model and tuples used, a call to ListObjects may not release memory properly. So when a sufficiently high number of those calls are executed, the OpenFGA server can create an out of memory error and terminate. Version 1.4.3 contains a patch for this issue.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/openfga/openfga
      vulnerable_at: 1.4.3
      packages:
        - package: openfga
cves:
    - CVE-2024-23820
references:
    - advisory: https://github.com/openfga/openfga/security/advisories/GHSA-rxpw-85vw-fx87
    - fix: https://github.com/openfga/openfga/commit/908ac85c8b7769c8042cca31886df8db01976c39
    - web: https://github.com/openfga/openfga/releases/tag/v1.4.3

@tatianab tatianab self-assigned this Jan 26, 2024
@tatianab tatianab added the excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. label Jan 31, 2024
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/560816 mentions this issue: data/excluded: batch add 14 excluded reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592778 mentions this issue: data/reports: unexclude 80 reports

gopherbot pushed a commit that referenced this issue Jun 28, 2024
  - data/reports/GO-2024-2521.yaml
  - data/reports/GO-2024-2434.yaml
  - data/reports/GO-2024-2537.yaml
  - data/reports/GO-2024-2432.yaml
  - data/reports/GO-2024-2483.yaml
  - data/reports/GO-2024-2480.yaml
  - data/reports/GO-2024-2433.yaml
  - data/reports/GO-2024-2530.yaml
  - data/reports/GO-2024-2556.yaml
  - data/reports/GO-2024-2472.yaml
  - data/reports/GO-2024-2540.yaml
  - data/reports/GO-2024-2560.yaml
  - data/reports/GO-2024-2561.yaml
  - data/reports/GO-2024-2590.yaml
  - data/reports/GO-2024-2428.yaml
  - data/reports/GO-2024-2508.yaml
  - data/reports/GO-2024-2592.yaml
  - data/reports/GO-2024-2511.yaml
  - data/reports/GO-2024-2491.yaml
  - data/reports/GO-2024-2479.yaml
  - data/reports/GO-2024-2509.yaml
  - data/reports/GO-2024-2589.yaml
  - data/reports/GO-2024-2496.yaml
  - data/reports/GO-2024-2505.yaml
  - data/reports/GO-2024-2558.yaml
  - data/reports/GO-2024-2430.yaml
  - data/reports/GO-2024-2594.yaml
  - data/reports/GO-2024-2431.yaml
  - data/reports/GO-2024-2488.yaml
  - data/reports/GO-2024-2495.yaml
  - data/reports/GO-2024-2557.yaml
  - data/reports/GO-2024-2442.yaml
  - data/reports/GO-2024-2593.yaml
  - data/reports/GO-2024-2512.yaml
  - data/reports/GO-2024-2528.yaml
  - data/reports/GO-2024-2529.yaml
  - data/reports/GO-2024-2588.yaml
  - data/reports/GO-2024-2562.yaml
  - data/reports/GO-2024-2441.yaml
  - data/reports/GO-2024-2591.yaml
  - data/reports/GO-2024-2477.yaml
  - data/reports/GO-2024-2448.yaml
  - data/reports/GO-2024-2510.yaml
  - data/reports/GO-2024-2564.yaml
  - data/reports/GO-2024-2476.yaml
  - data/reports/GO-2024-2527.yaml
  - data/reports/GO-2024-2481.yaml
  - data/reports/GO-2024-2445.yaml
  - data/reports/GO-2024-2457.yaml
  - data/reports/GO-2024-2446.yaml
  - data/reports/GO-2024-2447.yaml
  - data/reports/GO-2024-2501.yaml
  - data/reports/GO-2024-2440.yaml
  - data/reports/GO-2024-2500.yaml
  - data/reports/GO-2024-2444.yaml
  - data/reports/GO-2024-2550.yaml
  - data/reports/GO-2024-2523.yaml
  - data/reports/GO-2024-2516.yaml
  - data/reports/GO-2024-2531.yaml
  - data/reports/GO-2024-2595.yaml
  - data/reports/GO-2024-2520.yaml
  - data/reports/GO-2024-2582.yaml
  - data/reports/GO-2024-2485.yaml
  - data/reports/GO-2024-2541.yaml
  - data/reports/GO-2024-2563.yaml
  - data/reports/GO-2024-2532.yaml
  - data/reports/GO-2024-2450.yaml
  - data/reports/GO-2024-2515.yaml
  - data/reports/GO-2024-2499.yaml
  - data/reports/GO-2024-2514.yaml
  - data/reports/GO-2024-2535.yaml
  - data/reports/GO-2024-2458.yaml
  - data/reports/GO-2024-2449.yaml
  - data/reports/GO-2024-2549.yaml
  - data/reports/GO-2024-2517.yaml
  - data/reports/GO-2024-2478.yaml
  - data/reports/GO-2024-2559.yaml
  - data/reports/GO-2024-2486.yaml
  - data/reports/GO-2024-2513.yaml
  - data/reports/GO-2024-2565.yaml

Updates #2521
Updates #2434
Updates #2537
Updates #2432
Updates #2483
Updates #2480
Updates #2433
Updates #2530
Updates #2556
Updates #2472
Updates #2540
Updates #2560
Updates #2561
Updates #2590
Updates #2428
Updates #2508
Updates #2592
Updates #2511
Updates #2491
Updates #2479
Updates #2509
Updates #2589
Updates #2496
Updates #2505
Updates #2558
Updates #2430
Updates #2594
Updates #2431
Updates #2488
Updates #2495
Updates #2557
Updates #2442
Updates #2593
Updates #2512
Updates #2528
Updates #2529
Updates #2588
Updates #2562
Updates #2441
Updates #2591
Updates #2477
Updates #2448
Updates #2510
Updates #2564
Updates #2476
Updates #2527
Updates #2481
Updates #2445
Updates #2457
Updates #2446
Updates #2447
Updates #2501
Updates #2440
Updates #2500
Updates #2444
Updates #2550
Updates #2523
Updates #2516
Updates #2531
Updates #2595
Updates #2520
Updates #2582
Updates #2485
Updates #2541
Updates #2563
Updates #2532
Updates #2450
Updates #2515
Updates #2499
Updates #2514
Updates #2535
Updates #2458
Updates #2449
Updates #2549
Updates #2517
Updates #2478
Updates #2559
Updates #2486
Updates #2513
Updates #2565

Change-Id: I9920757c40e457cb5d033ef0e0a99deb6a5c29b5
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/592778
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Projects
None yet
Development

No branches or pull requests

3 participants