Maria Ines Parnisari

2 exploits Active since Oct 2022
CVE-2022-39340 WRITEUP MEDIUM WRITEUP
Openfga < 0.2.4 - Missing Authorization
OpenFGA is an authorization/permission engine. Prior to version 0.2.4, the `streamed-list-objects` endpoint was not validating the authorization header, resulting in disclosure of objects in the store. Users `openfga/openfga` versions 0.2.3 and prior who are exposing the OpenFGA service to the internet are vulnerable. Version 0.2.4 contains a patch for this issue.
CVSS 5.3
CVE-2025-49011 WRITEUP LOW WRITEUP
SpiceDB <1.44.2 - Info Disclosure
SpiceDB is an open source database for storing and querying fine-grained authorization data. Prior to version 1.44.2, on schemas involving arrows with caveats on the arrow’ed relation, when the path to resolve a CheckPermission request involves the evaluation of multiple caveated branches, requests may return a negative response when a positive response is expected. Version 1.44.2 fixes the issue. As a workaround, do not use caveats in the schema over an arrow’ed relation.
CVSS 3.7