CVE-2024-42473: OpenFGA Authorization Bypass
Overview
OpenFGA v1.5.7 and v1.5.8 are vulnerable to authorization bypass when calling Check API with a model that uses but not
and from
expressions and a userset.
For example, with a model like the following
model
schema 1.1
type user
type role
relations
define assignee: [user]
type permission
relations
define assignee: assignee from role
define role: [role]
type job
relations
define can_read: [permission#assignee]
define problem: [user] but not can_read
and these tuples:
user:1, problem, job:1
user:1, assignee, role:admin
role:admin, role, permission:readJobs
permission:readJobs#assignee, can_read, job:1
A query such as Check(object=job:1, relation=problem, user=user:1)
will return allowed=true
when the correct response is allowed=false
.
Fix
Downgrade to v1.5.6 as soon as possible. This downgrade is backward compatible.
We are currently working on a fix which will be included in the next release.
References
Detect and mitigate CVE-2024-42473 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →