Skip to main content

Openfga CVE-2022-39342

CRITICAL
Improper Authorization (CWE-285)
2022-10-25 security-advisories@github.com
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Oct 25, 2022 - 17:15 nvd
CRITICAL 9.8

DescriptionNVD

OpenFGA is an authorization/permission engine. Versions prior to version 0.2.4 are vulnerable to authorization bypass under certain conditions. Users whose model has a relation defined as a tupleset (the right hand side of a ‘from’ statement) that involves anything other than a direct relationship (e.g. ‘as self’) are vulnerable. Version 0.2.4 contains a patch for this issue.

AnalysisAI

OpenFGA is an authorization/permission engine. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Technical ContextAI

This vulnerability is classified under CWE-285. OpenFGA is an authorization/permission engine. Versions prior to version 0.2.4 are vulnerable to authorization bypass under certain conditions. Users whose model has a relation defined as a tupleset (the right hand side of a ‘from’ statement) that involves anything other than a direct relationship (e.g. ‘as self’) are vulnerable. Version 0.2.4 contains a patch for this issue. Affected products include: Openfga. Version information: version 0.2.4.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2023-35933 HIGH POC
7.5 Jun 26

OPenFGA is an open source authorization/permission engine built for developers. Rated high severity (CVSS 7.5), this vul

CVE-2024-42473 CRITICAL
9.8 Aug 12

OpenFGA is an authorization/permission engine. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi

CVE-2024-31452 CRITICAL
9.8 Apr 16

OpenFGA is a high-performance and flexible authorization/permission engine. Rated critical severity (CVSS 9.8), this vul

CVE-2022-23542 CRITICAL
9.8 Dec 20

OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. Rated critical sever

CVE-2022-39352 CRITICAL
9.8 Nov 08

OpenFGA is a high-performance authorization/permission engine inspired by Google Zanzibar. Rated critical severity (CVSS

CVE-2022-39341 CRITICAL
9.8 Oct 25

OpenFGA is an authorization/permission engine. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi

CVE-2026-24851 HIGH
8.8 Feb 06

Improper policy enforcement in OpenFGA versions 1.8.5 through 1.11.2 (and corresponding Helm Chart and Docker releases)

CVE-2023-45810 HIGH
7.5 Oct 17

OpenFGA is a flexible authorization/permission engine built for developers and inspired by Google Zanzibar. Rated high s

CVE-2026-40293 MEDIUM
6.5 Apr 17

OpenFGA 0.1.4 through 1.13.1 discloses preshared API authentication keys in plaintext HTML responses from the unauthenti

CVE-2024-23820 MEDIUM
6.5 Jan 26

OpenFGA, an authorization/permission engine, is vulnerable to a denial of service attack in versions prior to 1.4.3. Rat

CVE-2023-40579 MEDIUM
6.5 Aug 25

OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. Rated medium severit

CVE-2023-43645 MEDIUM
5.9 Sep 27

OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. Rated medium severit

Share

CVE-2022-39342 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy