6.5

CVE-2023-40579

EPSS 0.07%
Veröffentlicht 25.08.2023 20:15:08
Zuletzt bearbeitet 21.11.2024 08:19:45
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. Some end users of OpenFGA v1.3.0 or earlier are vulnerable to authorization bypass when calling the ListObjects API. The vulnerability affects customers using `ListObjects` with specific models. The affected models contain expressions of type `rel1 from type1`. This issue has been patched in version 1.3.1.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Openfga ≫ Openfga Version < 1.3.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.07%	0.203

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

https://github.com/openfga/openfga/releases/tag/v1.3.1

Release Notes

https://github.com/openfga/openfga/security/advisories/GHSA-jcf2-mxr2-gmqp

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-40579

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-40579

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-40579

EUVD