Vulnerability Details : CVE-2023-40579
OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. Some end users of OpenFGA v1.3.0 or earlier are vulnerable to authorization bypass when calling the ListObjects API. The vulnerability affects customers using `ListObjects` with specific models. The affected models contain expressions of type `rel1 from type1`. This issue has been patched in version 1.3.1.
Vulnerability category: BypassGain privilege
Products affected by CVE-2023-40579
- cpe:2.3:a:openfga:openfga:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-40579
0.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 27 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-40579
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
2.8
|
3.6
|
NIST | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
2.8
|
3.6
|
GitHub, Inc. |
CWE ids for CVE-2023-40579
-
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.Assigned by: security-advisories@github.com (Primary)
References for CVE-2023-40579
-
https://github.com/openfga/openfga/security/advisories/GHSA-jcf2-mxr2-gmqp
OpenFGA Authorization Bypass · Advisory · openfga/openfga · GitHubVendor Advisory
-
https://github.com/openfga/openfga/releases/tag/v1.3.1
Release v1.3.1 · openfga/openfga · GitHubRelease Notes
Jump to