Improper Authorization Affecting github.com/openfga/openfga/internal/keys package, versions >=1.3.8 <1.8.3
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-GOLANG-GITHUBCOMOPENFGAOPENFGAINTERNALKEYS-8622670
- published14 Jan 2025
- disclosed13 Jan 2025
- creditUnknown
Introduced: 13 Jan 2025
NewCVE-2024-56323 (opens in a new tab)Common Vulnerabilities and Exposures (CVE) are common identifiers for publicly known security vulnerabilities
Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade github.com/openfga/openfga/internal/keys to version 1.8.3 or higher.
Overview
Affected versions of this package are vulnerable to Improper Authorization due to improper handling of certain API calls involving Check and ListObject with conditions. An attacker can bypass authorization controls by exploiting the caching mechanism when specific conditions are met.
Note:
This is only exploitable if OpenFGA is configured with OPENFGA_CHECK_QUERY_CACHE_ENABLED and the API calls include contextual tuples that contain conditions.