CVE-2024-8260

MEDIUM

OPA for Windows <v0.68.0 - SMB Force-Authentication

Title source: llm

Description

A SMB force-authentication vulnerability exists in all versions of OPA for Windows prior to v0.68.0. The vulnerability exists because of improper input validation, allowing a user to pass an arbitrary SMB share instead of a Rego file as an argument to OPA CLI or to one of the OPA Go library’s functions.

References (1)

[Third Party Advisory] https://www.tenable.com/security/research/tra-2024-36

Scores

CVSS v3 6.1

EPSS 0.0014

EPSS Percentile 34.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L

Classification

CWE

CWE-294

Status published

Affected Products (2)

openpolicyagent/open_policy_agent < 0.68.0

open-policy-agent/opa < 0.68.0Go

Timeline

Published Aug 30, 2024

Tracked Since Feb 18, 2026