CVE-2022-23542: OpenFGA Authorization Bypass
N/A
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.07821%
CWE
Published
12/20/2022
Updated
1/29/2023
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
-
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/openfga/openfga | go | = 0.3.0 | 0.3.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from missing type restriction filters in relationship lookup functions. The GitHub PR #422 fix shows these functions were modified to add 'filter by allowed object type' logic. In v0.3.0, when checking relationships, these functions would return tuples valid under previous model versions without validating against current type restrictions, enabling authorization bypass when models were updated. The direct correlation between the vulnerability description (legacy tuples being honored after type restriction changes) and the patched code locations confirms these functions' role.