Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/openfga/openfga: GHSA-3f6g-m4hr-59h8 #3061

Closed
GoVulnBot opened this issue Aug 9, 2024 · 2 comments
Closed

x/vulndb: potential Go vuln in github.com/openfga/openfga: GHSA-3f6g-m4hr-59h8 #3061

GoVulnBot opened this issue Aug 9, 2024 · 2 comments
Labels
triaged

Comments

@GoVulnBot
Copy link

Advisory GHSA-3f6g-m4hr-59h8 references a vulnerability in the following Go modules:

Module
github.com/openfga/openfga

Description:

Overview

OpenFGA v1.5.7 and v1.5.8 are vulnerable to authorization bypass when calling Check API with a model that uses but not and from expressions and a userset.

Fix

Downgrade to v1.5.6 as soon as possible. This downgrade is backward compatible.

We are currently working on a fix which will be included in the next release.

References:

Cross references:

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/openfga/openfga
      non_go_versions:
        - introduced: TODO (earliest fixed "", vuln range ">= 1.5.7, <= 1.5.8")
      vulnerable_at: 1.5.8
summary: OpenFGA Authorization Bypass in github.com/openfga/openfga
cves:
    - CVE-2024-42473
ghsas:
    - GHSA-3f6g-m4hr-59h8
references:
    - advisory: https://github.com/advisories/GHSA-3f6g-m4hr-59h8
    - advisory: https://github.com/openfga/openfga/security/advisories/GHSA-3f6g-m4hr-59h8
source:
    id: GHSA-3f6g-m4hr-59h8
    created: 2024-08-09T22:01:12.894721843Z
review_status: UNREVIEWED
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/605315 mentions this issue: data/reports: add 7 unreviewed reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/604940 mentions this issue: data/reports: update GO-2024-3061

gopherbot pushed a commit that referenced this issue Aug 15, 2024
@tatianab @gopherbot
data/reports: update GO-2024-3061
69ff61e 
Re-generate report to pull in new info.

  - data/reports/GO-2024-3061.yaml

Updates #3061
Fixes #3069

Change-Id: I9376ccb1ed634dd6c0e93d7bccdcb7c2caf2caed
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/604940
Auto-Submit: Tatiana Bradley <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
@tatianab tatianab mentioned this issue Aug 16, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tatianab @gopherbot @GoVulnBot