ghsa-rxpw-85vw-fx87
Vulnerability from github
Published
2024-01-26 20:12
Modified
2024-01-26 20:12
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
OpenFGA denial of service
Details

Overview

OpenFGA is vulnerable to a DoS attack. In some scenarios that depend on the model and tuples used, a call to ListObjects may not release memory properly. So when a sufficiently high number of those calls are executed, the OpenFGA server can create an "out of memory" error and terminate.

Fix

Upgrade to v1.4.3. This upgrade is backwards compatible.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/openfga/openfga"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-23820"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-26T20:12:00Z",
    "nvd_published_at": "2024-01-26T17:15:13Z",
    "severity": "MODERATE"
  },
  "details": "## Overview\nOpenFGA is vulnerable to a DoS attack. In some scenarios that depend on the model and tuples used, a call to ListObjects may not  release memory properly. So when a sufficiently high number of those calls are executed, the OpenFGA server can create an \"out of memory\" error and terminate.\n\n## Fix\nUpgrade to v1.4.3. This upgrade is backwards compatible.",
  "id": "GHSA-rxpw-85vw-fx87",
  "modified": "2024-01-26T20:12:00Z",
  "published": "2024-01-26T20:12:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openfga/openfga/security/advisories/GHSA-rxpw-85vw-fx87"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23820"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openfga/openfga/commit/908ac85c8b7769c8042cca31886df8db01976c39"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openfga/openfga"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openfga/openfga/releases/tag/v1.4.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenFGA denial of service"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.