CVE-2024-31452

EPSS 0.66%
Veröffentlicht 16.04.2024 22:15:35
Zuletzt bearbeitet 05.01.2026 16:20:42
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

OpenFGA Authorization Bypass

OpenFGA is a high-performance and flexible authorization/permission engine. Some end users of OpenFGA v1.5.0 or later are vulnerable to authorization bypass when calling Check or ListObjects APIs. You are very likely affected if your model involves exclusion (e.g. `a but not b`) or intersection (e.g. `a and b`). This vulnerability is fixed in v1.5.3.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Openfga ≫ Openfga Version >= 1.5.0 < 1.5.3

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.66%	0.465

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	8.1	2.2	5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://github.com/openfga/openfga/commit/b6a6d99b2bdbf8c3781503989576076289f48ed2

Patch

https://github.com/openfga/openfga/security/advisories/GHSA-8cph-m685-6v6r

Patch

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-31452

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-31452

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-31452

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-31452