CVE-2023-35933

low-risk
Published 2023-06-26

OPenFGA is an open source authorization/permission engine built for developers. OpenFGA versions v1.1.0 and prior are vulnerable to a DoS attack when Check and ListObjects calls are executed against authorization models that contain circular relationship definitions. Users are affected by this vulnerability if they are using OpenFGA v1.1.0 or earlier, and if you are executing `Check` or `ListObjects` calls against a vulnerable authorization model. Users are advised to upgrade to version 1.1.1. There are no known workarounds for this vulnerability. Users that do not have circular relationships in their models are not affected.

Do I need to act?

-
0.37% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.9/10 Medium
NETWORK / HIGH complexity

Affected Products (1)

Openfga

Affected Vendors

Openfga

References (8)

Patch https://github.com/openfga/openfga/commit/087ce392595f3c319ab3028b5089118ea40634...
Vendor Advisory https://github.com/openfga/openfga/security/advisories/GHSA-hr9r-8phq-5x8j
Exploit https://openfga.dev/api/service#/Relationship%20Queries/Check
Exploit https://openfga.dev/api/service#/Relationship%20Queries/ListObjects
Patch https://github.com/openfga/openfga/commit/087ce392595f3c319ab3028b5089118ea40634...
Vendor Advisory https://github.com/openfga/openfga/security/advisories/GHSA-hr9r-8phq-5x8j
Exploit https://openfga.dev/api/service#/Relationship%20Queries/Check
Exploit https://openfga.dev/api/service#/Relationship%20Queries/ListObjects
24
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal