x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2023-40579

[GoVulnBot]

CVE-2023-40579 references github.com/openfga/openfga, which may be a Go module.

Description:
OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. Some end users of OpenFGA v1.3.0 or earlier are vulnerable to authorization bypass when calling the ListObjects API. The vulnerability affects customers using ListObjects with specific models. The affected models contain expressions of type rel1 from type1. This issue has been patched in version 1.3.1.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-40579
• JSON: https://github.com/CVEProject/cvelist/tree/177e8e53a35e6b47a660608801023f9a3065e553/2023/40xxx/CVE-2023-40579.json
• advisory: GHSA-jcf2-mxr2-gmqp
• web: https://github.com/openfga/openfga/releases/tag/v1.3.1
• Imported by: https://pkg.go.dev/github.com/openfga/openfga?tab=importedby

Cross references:

• Module github.com/openfga/openfga appears in issue x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2022-39340 #1079 EFFECTIVELY_PRIVATE
• Module github.com/openfga/openfga appears in issue x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2022-39341 #1080 EFFECTIVELY_PRIVATE
• Module github.com/openfga/openfga appears in issue x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2022-39342 #1081 EFFECTIVELY_PRIVATE
• Module github.com/openfga/openfga appears in issue x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2022-39352 #1099 EFFECTIVELY_PRIVATE
• Module github.com/openfga/openfga appears in issue x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2022-23542 #1179 EFFECTIVELY_PRIVATE
• Module github.com/openfga/openfga appears in issue x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2023-35933 #1872

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/openfga/openfga
      vulnerable_at: 1.3.1
      packages:
        - package: openfga
description: |-
    OpenFGA is an authorization/permission engine built for developers and inspired
    by Google Zanzibar. Some end users of OpenFGA v1.3.0 or earlier are vulnerable
    to authorization bypass when calling the ListObjects API. The vulnerability
    affects customers using `ListObjects` with specific models. The affected models
    contain expressions of type `rel1 from type1`. This issue has been patched in
    version 1.3.1.
cves:
    - CVE-2023-40579
references:
    - advisory: https://github.com/openfga/openfga/security/advisories/GHSA-jcf2-mxr2-gmqp
    - web: https://github.com/openfga/openfga/releases/tag/v1.3.1

[tatianab]

Duplicate of #2028