CVE-2022-39342 OpenFGA is an authorization/permission engine. Versions prior to v0.2.4 are vulnerable to authorization bypass under certain conditions

The following example would be vulnerable under some circumstances: user.add_relation(:friends, :order) # =

Install the Gem gem install friends_order

The following example would not be vulnerable: user.add_relation(:friends, :order) #

What is a Relation?

A relation is an association between two records. It can be used to specify relationships such as "friendship" or "parent-child."

Timeline

Published on: 10/25/2022 17:15:00 UTC
Last modified on: 10/26/2022 00:52:00 UTC

References

• https://github.com/openfga/openfga/security/advisories/GHSA-f4mm-2r69-mg5f
• https://github.com/openfga/openfga/commit/c8db1ee3d2a366f18e585dd33236340e76e784c4
• https://github.com/openfga/openfga/releases/tag/v0.2.4
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-39342