CVE-2023-40579 MEDIUM

CVE-2023-40579: OpenFGA Authorization Bypass

Vendor Openfga
Product openfga
Weakness CWE-284
Published August 25, 2023
Last update October 1, 2024

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. Some end users of OpenFGA v1.3.0 or earlier are vulnerable to authorization bypass when calling the ListObjects API. The vulnerability affects customers using `ListObjects` with specific models. The affected models contain expressions of type `rel1 from type1`. This issue has been patched in version 1.3.1.

Key dates

02Disclosure timeline

August 25, 2023 CVE published
October 1, 2024 Record updated