x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2022-39340 #1079
Labels
excluded: EFFECTIVELY_PRIVATE
This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Comments
timothy-king
added
excluded: EFFECTIVELY_PRIVATE
|
Change https://go.dev/cl/446359 mentions this issue: |
This was referenced Aug 25, 2023
|
Change https://go.dev/cl/592774 mentions this issue: |
This was referenced Aug 9, 2024
|
Change https://go.dev/cl/607231 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Aug 21, 2024
- data/reports/GO-2022-1079.yaml - data/reports/GO-2022-1080.yaml - data/reports/GO-2022-1081.yaml - data/reports/GO-2022-1089.yaml - data/reports/GO-2022-1099.yaml - data/reports/GO-2022-1100.yaml - data/reports/GO-2022-1105.yaml - data/reports/GO-2022-1106.yaml - data/reports/GO-2022-1107.yaml - data/reports/GO-2022-1119.yaml - data/reports/GO-2022-1120.yaml - data/reports/GO-2022-1121.yaml - data/reports/GO-2022-1132.yaml - data/reports/GO-2022-1135.yaml - data/reports/GO-2022-1138.yaml - data/reports/GO-2022-1147.yaml - data/reports/GO-2022-1151.yaml - data/reports/GO-2022-1152.yaml - data/reports/GO-2022-1153.yaml - data/reports/GO-2022-1154.yaml Updates #1079 Updates #1080 Updates #1081 Updates #1089 Updates #1099 Updates #1100 Updates #1105 Updates #1106 Updates #1107 Updates #1119 Updates #1120 Updates #1121 Updates #1132 Updates #1135 Updates #1138 Updates #1147 Updates #1151 Updates #1152 Updates #1153 Updates #1154 Change-Id: Ice57e62cbaec73a848639ed6de50434eac91a368 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/607231 Reviewed-by: Damien Neil <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]> Auto-Submit: Tatiana Bradley <[email protected]> Commit-Queue: Tatiana Bradley <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2022-39340 references github.com/openfga/openfga, which may be a Go module.
Description:
OpenFGA is an authorization/permission engine. Prior to version 0.2.4, the
streamed-list-objectsendpoint was not validating the authorization header, resulting in disclosure of objects in the store. Usersopenfga/openfgaversions 0.2.3 and prior who are exposing the OpenFGA service to the internet are vulnerable. Version 0.2.4 contains a patch for this issue.References:
See doc/triage.md for instructions on how to triage this report.
The text was updated successfully, but these errors were encountered: