CVE-2022-23542

Published Dec 20, 2022

Last updated a year ago

CVSS critical 9.8

Overview

Description: OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. During an internal security assessment, it was discovered that OpenFGA version 0.3.0 is vulnerable to authorization bypass under certain conditions. This issue has been patched in version 0.3.1 and is backward compatible.
Source: security-advisories@github.com
NVD status: Modified

Risk scores

CVSS 3.1

Type: Primary
Base score: 9.8
Impact score: 5.9
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL

Weaknesses

security-advisories@github.com: CWE-285

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:openfga:openfga:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "83D51F01-FDB6-48DB-BD8F-88EE6A5CE24B",
            "versionEndExcluding": "0.3.1"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

References