Homepage
About Snyk

Incorrect Permission Assignment for Critical Resource Affecting github.com/open-policy-agent/opa/loader package, versions <0.68.0

Severity

 Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.04% (11th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-GOLANG-GITHUBCOMOPENPOLICYAGENTOPALOADER-7856111
  • published 1 Sep 2024
  • disclosed 30 Aug 2024
  • credit Shelly Raban
Report a new vulnerability Found a mistake?

Introduced: 30 Aug 2024

CVE-2024-8260 Open this link in a new tab
CWE-732 Open this link in a new tab

How to fix?

Upgrade github.com/open-policy-agent/opa/loader to version 0.68.0 or higher.

Overview

github.com/open-policy-agent/opa/loader is a general-purpose policy engine

Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource due to the Rego.Load() and Rego.LoadBundle() functions accepting arbitrary UNC paths as arguments. An attacker who has gained access to these functions can pass in an SMB share location instead of a Rego file to the AsBundle() function in the loader, which may leak the Net-NTLMv2 hash of the current user.

Note: This vulnerability is only present on Windows.

CVSS Scores

version 4.0
version 3.1
Expand this section

Snyk

Recommended
6 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    High
  • Attack Requirements (AT)
    None
  • Privileges Required (PR)
    Low
  • User Interaction (UI)
    None
  • Confidentiality (VC)
    High
  • Integrity (VI)
    None
  • Availability (VA)
    None
  • Confidentiality (SC)
    Low
  • Integrity (SI)
    Low
  • Availability (SA)
    Low