Skip to main content

Fastapi OPA CVE-2024-40627

MEDIUM
Observable Response Discrepancy (CWE-204)
2024-07-15 security-advisories@github.com
5.8
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
5.8 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Primary rating from Vendor (github) · only source for this CVE.

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Jul 15, 2024 - 20:15 cve.org
MEDIUM 5.8

DescriptionCVE.org

Fastapi OPA is an opensource fastapi middleware which includes auth flow. HTTP OPTIONS requests are always allowed by OpaMiddleware, even when they lack authentication, and are passed through directly to the application. OpaMiddleware allows all HTTP OPTIONS requests without evaluating it against any policy. If an application provides different responses to HTTP OPTIONS requests based on an entity existing (such as to indicate whether an entity is writable on a system level), an unauthenticated attacker could discover which entities exist within an application. This issue has been addressed in release version 2.0.1. All users are advised to upgrade. There are no known workarounds for this vulnerability.

AnalysisAI

Fastapi OPA is an opensource fastapi middleware which includes auth flow. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-204. Fastapi OPA is an opensource fastapi middleware which includes auth flow. HTTP OPTIONS requests are always allowed by OpaMiddleware, even when they lack authentication, and are passed through directly to the application. OpaMiddleware allows all HTTP OPTIONS requests without evaluating it against any policy. If an application provides different responses to HTTP OPTIONS requests based on an entity existing (such as to indicate whether an entity is writable on a system level), an unauthenticated attacker could discover which entities exist within an application. This issue has been addressed in release version 2.0.1. All users are advised to upgrade. There are no known workarounds for this vulnerability. Version information: version 2.0.1..

Affected ProductsAI

See vendor advisory for affected versions.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

Share

CVE-2024-40627 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy