fkie_cve-2025-25196
Vulnerability from fkie_nvd
Published
2025-02-19 21:15
Modified
2025-02-19 21:15
Severity ?
5.8 (Medium) - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H
Summary
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA < v1.8.4 (Helm chart < openfga-0.2.22, docker < v.1.8.4) are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Users on OpenFGA v1.8.4 or previous, specifically under the following conditions are affected by this authorization bypass vulnerability: 1. Calling Check API or ListObjects with a model that has a relation directly assignable to both public access AND userset with the same type. 2. A type bound public access tuple is assigned to an object. 3. userset tuple is not assigned to the same object. and 4. Check request's user field is a userset that has the same type as the type bound public access tuple's user type. Users are advised to upgrade to v1.8.5 which is backwards compatible. There are no known workarounds for this vulnerability.
References
security-advisories@github.comhttps://github.com/openfga/openfga/commit/0aee4f47e0c642de78831ceb27bb62b116f49588
security-advisories@github.comhttps://github.com/openfga/openfga/security/advisories/GHSA-g4v5-6f5p-m38j
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA \u003c v1.8.4 (Helm chart \u003c openfga-0.2.22, docker \u003c v.1.8.4) are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Users on OpenFGA v1.8.4 or previous, specifically under the following conditions are affected by this authorization bypass vulnerability: 1. Calling Check API or ListObjects with a model that has a relation directly assignable to both public access AND userset with the same type. 2. A type bound public access tuple is assigned to an object. 3. userset tuple is not assigned to the same object. and 4. Check request\u0027s user field is a userset that has the same type as the type bound public access tuple\u0027s user type. Users are advised to upgrade to v1.8.5 which is backwards compatible. There are no known workarounds for this vulnerability."
    },
    {
      "lang": "es",
      "value": "OpenFGA es un motor de autorizaci\u00f3n/permiso de alto rendimiento y flexible creado para desarrolladores e inspirado en Google Zanzibar. OpenFGA \u0026lt; v1.8.4 (Helm chart \u0026lt; openfga-0.2.22, docker \u0026lt; v.1.8.4) es vulnerable a la omisi\u00f3n de autorizaci\u00f3n cuando se ejecutan ciertas llamadas Check y ListObject. Los usuarios de OpenFGA v1.8.4 o anteriores, espec\u00edficamente en las siguientes condiciones, se ven afectados por esta vulnerabilidad de omisi\u00f3n de autorizaci\u00f3n: 1. Llamar a la API Check o ListObjects con un modelo que tiene una relaci\u00f3n directamente asignable tanto al acceso p\u00fablico como al conjunto de usuarios con el mismo tipo. 2. Una tupla de acceso p\u00fablico vinculada a un tipo se asigna a un objeto. 3. La tupla de conjunto de usuarios no se asigna al mismo objeto. y 4. El campo de usuario de la solicitud Check es un conjunto de usuarios que tiene el mismo tipo que el tipo de usuario de la tupla de acceso p\u00fablico vinculada a un tipo. Se recomienda a los usuarios que actualicen a la versi\u00f3n 1.8.5, que es compatible con versiones anteriores. No se conocen workarounds para esta vulnerabilidad."
    }
  ],
  "id": "CVE-2025-25196",
  "lastModified": "2025-02-19T21:15:15.577",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 5.8,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "HIGH",
          "subConfidentialityImpact": "HIGH",
          "subIntegrityImpact": "HIGH",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-02-19T21:15:15.577",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/openfga/openfga/commit/0aee4f47e0c642de78831ceb27bb62b116f49588"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/openfga/openfga/security/advisories/GHSA-g4v5-6f5p-m38j"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-285"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.