CVE-2022-36085 - OpenCVE

Open Policy Agent (OPA) is an open source, general-purpose policy engine. The Rego compiler provides a (deprecated) `WithUnsafeBuiltins` function, which allows users to provide a set of built-in functions that should be deemed unsafe — and as such rejected — by the compiler if encountered in the policy compilation stage. A bypass of this protection has been found, where the use of the `with` keyword to mock such a built-in function (a feature introduced in OPA v0.40.0), isn’t taken into account by `WithUnsafeBuiltins`. Multiple conditions need to be met in order to create an adverse effect. Version 0.43.1 contains a patch for this issue. As a workaround, avoid using the `WithUnsafeBuiltins` function and use the `capabilities` feature instead.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Openpolicyagent	Open Policy Agent

Configuration 1 [-]

cpe:2.3:a:openpolicyagent:open_policy_agent:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/open-policy-agent/opa/commit/25a597bc3f4985162e7f65f9c36599f4f8f55823	Patch Third Party Advisory
https://github.com/open-policy-agent/opa/commit/3e8c754ed007b22393cf65e48751ad9f6457fee8	Patch Third Party Advisory
https://github.com/open-policy-agent/opa/pull/4540	Exploit Patch Third Party Advisory
https://github.com/open-policy-agent/opa/pull/4616	Exploit Patch Third Party Advisory
https://github.com/open-policy-agent/opa/releases/tag/v0.43.1	Third Party Advisory
https://github.com/open-policy-agent/opa/security/advisories/GHSA-f524-rf33-2jjr	Exploit Patch Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-09-08T13:30:16

Updated: 2022-09-08T13:30:16

Reserved: 2022-07-15T00:00:00

Link: CVE-2022-36085

JSON object: View

NVD Information

Status : Modified

Published: 2022-09-08T14:15:08.340

Modified: 2023-11-07T03:49:32.727

Link: CVE-2022-36085

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "opa", "vendor": "open-policy-agent", "versions": [{"status": "affected", "version": ">= 0.40.0, < 0.43.1"}]}], "descriptions": [{"lang": "en", "value": "Open Policy Agent (OPA) is an open source, general-purpose policy engine. The Rego compiler provides a (deprecated) `WithUnsafeBuiltins` function, which allows users to provide a set of built-in functions that should be deemed unsafe \u2014 and as such rejected \u2014 by the compiler if encountered in the policy compilation stage. A bypass of this protection has been found, where the use of the `with` keyword to mock such a built-in function (a feature introduced in OPA v0.40.0), isn\u2019t taken into account by `WithUnsafeBuiltins`. Multiple conditions need to be met in order to create an adverse effect. Version 0.43.1 contains a patch for this issue. As a workaround, avoid using the `WithUnsafeBuiltins` function and use the `capabilities` feature instead."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-693", "description": "CWE-693: Protection Mechanism Failure", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-20", "description": "CWE-20: Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-09-08T13:30:16", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/open-policy-agent/opa/security/advisories/GHSA-f524-rf33-2jjr"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/open-policy-agent/opa/pull/4540"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/open-policy-agent/opa/pull/4616"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/open-policy-agent/opa/commit/25a597bc3f4985162e7f65f9c36599f4f8f55823"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/open-policy-agent/opa/commit/3e8c754ed007b22393cf65e48751ad9f6457fee8"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/open-policy-agent/opa/releases/tag/v0.43.1"}], "source": {"advisory": "GHSA-f524-rf33-2jjr", "discovery": "UNKNOWN"}, "title": "OPA Compiler: Bypass of WithUnsafeBuiltins using `with` keyword to mock functions", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-36085", "STATE": "PUBLIC", "TITLE": "OPA Compiler: Bypass of WithUnsafeBuiltins using `with` keyword to mock functions"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "opa", "version": {"version_data": [{"version_value": ">= 0.40.0, < 0.43.1"}]}}]}, "vendor_name": "open-policy-agent"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Open Policy Agent (OPA) is an open source, general-purpose policy engine. The Rego compiler provides a (deprecated) `WithUnsafeBuiltins` function, which allows users to provide a set of built-in functions that should be deemed unsafe \u2014 and as such rejected \u2014 by the compiler if encountered in the policy compilation stage. A bypass of this protection has been found, where the use of the `with` keyword to mock such a built-in function (a feature introduced in OPA v0.40.0), isn\u2019t taken into account by `WithUnsafeBuiltins`. Multiple conditions need to be met in order to create an adverse effect. Version 0.43.1 contains a patch for this issue. As a workaround, avoid using the `WithUnsafeBuiltins` function and use the `capabilities` feature instead."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-693: Protection Mechanism Failure"}]}, {"description": [{"lang": "eng", "value": "CWE-20: Improper Input Validation"}]}]}, "references": {"reference_data": [{"name": "https://github.com/open-policy-agent/opa/security/advisories/GHSA-f524-rf33-2jjr", "refsource": "CONFIRM", "url": "https://github.com/open-policy-agent/opa/security/advisories/GHSA-f524-rf33-2jjr"}, {"name": "https://github.com/open-policy-agent/opa/pull/4540", "refsource": "MISC", "url": "https://github.com/open-policy-agent/opa/pull/4540"}, {"name": "https://github.com/open-policy-agent/opa/pull/4616", "refsource": "MISC", "url": "https://github.com/open-policy-agent/opa/pull/4616"}, {"name": "https://github.com/open-policy-agent/opa/commit/25a597bc3f4985162e7f65f9c36599f4f8f55823", "refsource": "MISC", "url": "https://github.com/open-policy-agent/opa/commit/25a597bc3f4985162e7f65f9c36599f4f8f55823"}, {"name": "https://github.com/open-policy-agent/opa/commit/3e8c754ed007b22393cf65e48751ad9f6457fee8", "refsource": "MISC", "url": "https://github.com/open-policy-agent/opa/commit/3e8c754ed007b22393cf65e48751ad9f6457fee8"}, {"name": "https://github.com/open-policy-agent/opa/releases/tag/v0.43.1", "refsource": "MISC", "url": "https://github.com/open-policy-agent/opa/releases/tag/v0.43.1"}]}, "source": {"advisory": "GHSA-f524-rf33-2jjr", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-36085", "datePublished": "2022-09-08T13:30:16", "dateReserved": "2022-07-15T00:00:00", "dateUpdated": "2022-09-08T13:30:16", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openpolicyagent:open_policy_agent:*:*:*:*:*:*:*:*", "matchCriteriaId": "24044142-C7B3-4994-9F36-5ED0299C8E5B", "versionEndExcluding": "0.43.1", "versionStartIncluding": "0.40.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Open Policy Agent (OPA) is an open source, general-purpose policy engine. The Rego compiler provides a (deprecated) `WithUnsafeBuiltins` function, which allows users to provide a set of built-in functions that should be deemed unsafe \u2014 and as such rejected \u2014 by the compiler if encountered in the policy compilation stage. A bypass of this protection has been found, where the use of the `with` keyword to mock such a built-in function (a feature introduced in OPA v0.40.0), isn\u2019t taken into account by `WithUnsafeBuiltins`. Multiple conditions need to be met in order to create an adverse effect. Version 0.43.1 contains a patch for this issue. As a workaround, avoid using the `WithUnsafeBuiltins` function and use the `capabilities` feature instead."}, {"lang": "es", "value": "Open Policy Agent (OPA) es un motor de pol\u00edticas de prop\u00f3sito general de c\u00f3digo abierto. El compilador de Rego proporciona una funci\u00f3n \"WithUnsafeBuiltins\" (en desuso), que permite a usuarios proporcionar un conjunto de funciones integradas que el compilador deber\u00eda considerar inseguras y, como tales, rechazarlas si son encontradas en la etapa de compilaci\u00f3n de pol\u00edticas. . Se ha encontrado una omisi\u00f3n de esta protecci\u00f3n, en la que \"WithUnsafeBuiltins\" no es tenido en cuenta el uso de la palabra clave \"with\" para simular una funci\u00f3n integrada de este tipo (una caracter\u00edstica introducida en OPA v0.40.0). Deben cumplirse m\u00faltiples condiciones para crear un efecto adverso. La versi\u00f3n 0.43.1 contiene un parche para este problema. Como mitigaci\u00f3n, evite usar la funci\u00f3n \"WithUnsafeBuiltins\" y use la funcionalidad \"capabilities\" en su lugar"}], "id": "CVE-2022-36085", "lastModified": "2023-11-07T03:49:32.727", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-09-08T14:15:08.340", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/open-policy-agent/opa/commit/25a597bc3f4985162e7f65f9c36599f4f8f55823"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/open-policy-agent/opa/commit/3e8c754ed007b22393cf65e48751ad9f6457fee8"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/open-policy-agent/opa/pull/4540"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/open-policy-agent/opa/pull/4616"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/open-policy-agent/opa/releases/tag/v0.43.1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/open-policy-agent/opa/security/advisories/GHSA-f524-rf33-2jjr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-693"}], "source": "security-advisories@github.com", "type": "Secondary"}]}