Jonathan Whitaker

6 exploits Active since Oct 2022
CVE-2022-39341 WRITEUP MEDIUM WRITEUP
OpenFGA < 0.2.4 - Authorization Bypass via Wildcard TupleSet Relations
OpenFGA is an authorization/permission engine. Versions prior to version 0.2.4 are vulnerable to authorization bypass under certain conditions. Users who have wildcard (`*`) defined on tupleset relations in their authorization model are vulnerable. Version 0.2.4 contains a patch for this issue.
CVSS 5.9
CVE-2022-39342 WRITEUP MEDIUM WRITEUP
OpenFGA < 0.2.4 - Authorization Bypass via Tupleset Relation
OpenFGA is an authorization/permission engine. Versions prior to version 0.2.4 are vulnerable to authorization bypass under certain conditions. Users whose model has a relation defined as a tupleset (the right hand side of a ‘from’ statement) that involves anything other than a direct relationship (e.g. ‘as self’) are vulnerable. Version 0.2.4 contains a patch for this issue.
CVSS 5.9
CVE-2023-35933 WRITEUP MEDIUM WRITEUP
OpenFGA < 1.1.1 - Denial of Service via Circular Relationship Definitions
OPenFGA is an open source authorization/permission engine built for developers. OpenFGA versions v1.1.0 and prior are vulnerable to a DoS attack when Check and ListObjects calls are executed against authorization models that contain circular relationship definitions. Users are affected by this vulnerability if they are using OpenFGA v1.1.0 or earlier, and if you are executing `Check` or `ListObjects` calls against a vulnerable authorization model. Users are advised to upgrade to version 1.1.1. There are no known workarounds for this vulnerability. Users that do not have circular relationships in their models are not affected.
CVSS 5.9
CVE-2023-43645 WRITEUP MEDIUM WRITEUP
OpenFGA < 1.3.2 - Denial of Service via Circular Relationship Definitions
OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA is vulnerable to a denial of service attack when certain Check calls are executed against authorization models that contain circular relationship definitions. When the call is made, it's possible for the server to exhaust resources and die. Users are advised to upgrade to v1.3.2 and update any offending models. There are no known workarounds for this vulnerability. Note that for models which contained cycles or a relation definition that has the relation itself in its evaluation path, checks and queries that require evaluation will no longer be evaluated on v1.3.2+ and will return errors instead. Users who do not have cyclic models are unaffected.
CVSS 5.9
CVE-2024-23820 WRITEUP MEDIUM WRITEUP
OpenFGA < 1.4.3 - Denial of Service via ListObjects Memory Leak
OpenFGA, an authorization/permission engine, is vulnerable to a denial of service attack in versions prior to 1.4.3. In some scenarios that depend on the model and tuples used, a call to `ListObjects` may not release memory properly. So when a sufficiently high number of those calls are executed, the OpenFGA server can create an `out of memory` error and terminate. Version 1.4.3 contains a patch for this issue.
CVSS 5.3
CVE-2024-31452 WRITEUP HIGH WRITEUP
OpenFGA 1.5.0-1.5.3 - Authorization Bypass via Exclusion or Intersection in Check or ListObjects APIs
OpenFGA is a high-performance and flexible authorization/permission engine. Some end users of OpenFGA v1.5.0 or later are vulnerable to authorization bypass when calling Check or ListObjects APIs. You are very likely affected if your model involves exclusion (e.g. `a but not b`) or intersection (e.g. `a and b`). This vulnerability is fixed in v1.5.3.
CVSS 8.1