OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. Some end users of OpenFGA v1.3.0 or earlier are vulnerable to authorization bypass when calling the ListObjects API. The vulnerability affects customers using `ListObjects` with specific models. The affected models contain expressions of type `rel1 from type1`. This issue has been patched in version 1.3.1.
References
Link | Resource |
---|---|
https://github.com/openfga/openfga/releases/tag/v1.3.1 | Release Notes |
https://github.com/openfga/openfga/security/advisories/GHSA-jcf2-mxr2-gmqp | Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2023-08-25T19:46:40.700Z
Updated: 2023-08-25T19:46:40.700Z
Reserved: 2023-08-16T18:24:02.391Z
Link: CVE-2023-40579
JSON object: View
NVD Information
Status : Analyzed
Published: 2023-08-25T20:15:08.800
Modified: 2023-08-31T17:39:36.077
Link: CVE-2023-40579
JSON object: View
Redhat Information
No data.
CWE