CVE-2024-23820 - OpenCVE

OpenFGA, an authorization/permission engine, is vulnerable to a denial of service attack in versions prior to 1.4.3. In some scenarios that depend on the model and tuples used, a call to `ListObjects` may not release memory properly. So when a sufficiently high number of those calls are executed, the OpenFGA server can create an `out of memory` error and terminate. Version 1.4.3 contains a patch for this issue.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Openfga	Openfga

Configuration 1 [-]

cpe:2.3:a:openfga:openfga:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/openfga/openfga/commit/908ac85c8b7769c8042cca31886df8db01976c39	Patch
https://github.com/openfga/openfga/releases/tag/v1.4.3	Release Notes
https://github.com/openfga/openfga/security/advisories/GHSA-rxpw-85vw-fx87	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-01-26T16:37:27.065Z

Updated: 2024-01-26T16:37:27.065Z

Reserved: 2024-01-22T22:23:54.337Z

Link: CVE-2024-23820

JSON object: View

NVD Information

Status : Analyzed

Published: 2024-01-26T17:15:13.287

Modified: 2024-02-01T16:30:14.907

Link: CVE-2024-23820

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2024-23820", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-01-22T22:23:54.337Z", "datePublished": "2024-01-26T16:37:27.065Z", "dateUpdated": "2024-01-26T16:37:27.065Z"}, "containers": {"cna": {"title": "OpenFGA DoS", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/openfga/openfga/security/advisories/GHSA-rxpw-85vw-fx87", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openfga/openfga/security/advisories/GHSA-rxpw-85vw-fx87"}, {"name": "https://github.com/openfga/openfga/commit/908ac85c8b7769c8042cca31886df8db01976c39", "tags": ["x_refsource_MISC"], "url": "https://github.com/openfga/openfga/commit/908ac85c8b7769c8042cca31886df8db01976c39"}, {"name": "https://github.com/openfga/openfga/releases/tag/v1.4.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/openfga/openfga/releases/tag/v1.4.3"}], "affected": [{"vendor": "openfga", "product": "openfga", "versions": [{"version": "< 1.4.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-26T16:37:27.065Z"}, "descriptions": [{"lang": "en", "value": "OpenFGA, an authorization/permission engine, is vulnerable to a denial of service attack in versions prior to 1.4.3. In some scenarios that depend on the model and tuples used, a call to `ListObjects` may not release memory properly. So when a sufficiently high number of those calls are executed, the OpenFGA server can create an `out of memory` error and terminate. Version 1.4.3 contains a patch for this issue."}], "source": {"advisory": "GHSA-rxpw-85vw-fx87", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openfga:openfga:*:*:*:*:*:*:*:*", "matchCriteriaId": "C2F9E0AB-95A2-438B-ABA0-67EECF03D0C7", "versionEndExcluding": "1.4.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "OpenFGA, an authorization/permission engine, is vulnerable to a denial of service attack in versions prior to 1.4.3. In some scenarios that depend on the model and tuples used, a call to `ListObjects` may not release memory properly. So when a sufficiently high number of those calls are executed, the OpenFGA server can create an `out of memory` error and terminate. Version 1.4.3 contains a patch for this issue."}, {"lang": "es", "value": "OpenFGA, un motor de autorizaci\u00f3n/permisos, es vulnerable a un ataque de denegaci\u00f3n de servicio en versiones anteriores a la 1.4.3. En algunos escenarios que dependen del modelo y las tuplas utilizadas, es posible que una llamada a `ListObjects` no libere memoria correctamente. Entonces, cuando se ejecuta una cantidad suficientemente alta de esas llamadas, el servidor OpenFGA puede crear un error de \"memoria insuficiente\" y finalizar. La versi\u00f3n 1.4.3 contiene un parche para este problema."}], "id": "CVE-2024-23820", "lastModified": "2024-02-01T16:30:14.907", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-01-26T17:15:13.287", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/openfga/openfga/commit/908ac85c8b7769c8042cca31886df8db01976c39"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/openfga/openfga/releases/tag/v1.4.3"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/openfga/openfga/security/advisories/GHSA-rxpw-85vw-fx87"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Secondary"}]}