Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2024-31452 #2729

Closed
GoVulnBot opened this issue Apr 16, 2024 · 2 comments
Assignees
Labels

Comments

@GoVulnBot
Copy link

CVE-2024-31452 references github.com/openfga/openfga, which may be a Go module.

Description:
OpenFGA is a high-performance and flexible authorization/permission engine. Some end users of OpenFGA v1.5.0 or later are vulnerable to authorization bypass when calling Check or ListObjects APIs. You are very likely affected if your model involves exclusion (e.g. a but not b) or intersection (e.g. a and b). This vulnerability is fixed in v1.5.3.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/openfga/openfga
      vulnerable_at: 1.5.2
      packages:
        - package: openfga
cves:
    - CVE-2024-31452
references:
    - advisory: https://github.com/openfga/openfga/security/advisories/GHSA-8cph-m685-6v6r
    - fix: https://github.com/openfga/openfga/commit/b6a6d99b2bdbf8c3781503989576076289f48ed2

@jba jba self-assigned this Apr 19, 2024
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/586484 mentions this issue: data/reports: add 73 unreviewed reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/590039 mentions this issue: data/reports: add 51 reports

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
Projects
None yet
Development

No branches or pull requests

4 participants