CVE-2024-42473: OpenFGA Authorization Bypass

August 9, 2024

Overview

OpenFGA v1.5.7 and v1.5.8 are vulnerable to authorization bypass when calling Check API with a model that uses but not and from expressions and a userset.

For example, with a model like the following

 model
    schema 1.1

  type user

  type role
    relations
      define assignee: [user]

  type permission
    relations
      define assignee: assignee from role
      define role: [role]

  type job
    relations
      define can_read: [permission#assignee]
      define problem: [user] but not can_read

and these tuples:

user:1, problem, job:1
user:1, assignee, role:admin
role:admin, role, permission:readJobs
permission:readJobs#assignee, can_read, job:1

A query such as Check(object=job:1, relation=problem, user=user:1) will return allowed=true when the correct response is allowed=false.

Fix

Downgrade to v1.5.6 as soon as possible. This downgrade is backward compatible.

We are currently working on a fix which will be included in the next release.

References

Code Behaviors & Features

Detect and mitigate CVE-2024-42473 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →