x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2022-39352

GoVulnBot commented 1 year ago

CVE-2022-39352 references github.com/openfga/openfga, which may be a Go module.

Description: OpenFGA is a high-performance authorization/permission engine inspired by Google Zanzibar. Versions prior to 0.2.5 are vulnerable to authorization bypass under certain conditions. You are affected by this vulnerability if you added a tuple with a wildcard (*) assigned to a tupleset relation (the right hand side of a ‘from’ statement). This issue has been patched in version v0.2.5. This update is not backward compatible with any authorization model that uses wildcard on a tupleset relation.

References:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/openfga/openfga
    packages:
      - package: openfga
description: |
    OpenFGA is a high-performance authorization/permission engine inspired by Google Zanzibar. Versions prior to 0.2.5 are vulnerable to authorization bypass under certain conditions. You are affected by this vulnerability if you added a tuple with a wildcard (*) assigned to a tupleset relation (the right hand side of a ‘from’ statement). This issue has been patched in version v0.2.5. This update is not backward compatible with any authorization model that uses wildcard on a tupleset relation.
cves:
  - CVE-2022-39352
references:
  - web: https://github.com/openfga/openfga/security/advisories/GHSA-3gfj-fxx4-f22w

gopherbot commented 1 year ago

Change https://go.dev/cl/448815 mentions this issue: data/excluded: add GO-2022-1099.yaml

gopherbot commented 4 months ago

Change https://go.dev/cl/592835 mentions this issue: data/reports: unexclude 50 reports

gopherbot commented 2 months ago

Change https://go.dev/cl/607231 mentions this issue: data/reports: unexclude 20 reports (29)

golang / vulndb

x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2022-39352 #1099