Miggo Logo

CVE-2022-23628: Incorrect Calculation in github.com/open-policy-agent/opa

6.3

CVSS Score
3.1

Basic Information

EPSS Score
0.52472%
Published
2/9/2022
Updated
5/20/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/open-policy-agent/opago>= 0.33.1, < 0.37.20.37.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The core vulnerability stems from the interaction between:

  1. Synthetic nodes created during optimization (without proper locations)
  2. groupIterable's location-based sorting in format.go
  3. Ast()'s default location assignment

The key fix in 932e4ff modified groupIterable to check for defaultLocationFile and avoid reordering when present. The vulnerable versions' groupIterable sorted elements by location row numbers, but synthetic nodes either lacked locations (pre-0.33.1) or had artificial ones (post-0.33.1 via Ast()), leading to unstable ordering. The Ast function's default location assignment (medium confidence) enabled the problematic sorting behavior when combined with groupIterable's logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Un**r **rt*in *on*itions, pr*tty-printin* *n *ST t**t *ont*ins synt**ti* no**s *oul* ***n** t** lo*i* o* som* st*t*m*nts *y r*or**rin* *rr*y lit*r*ls. *x*mpl* o* poli*i*s imp**t** *r* t*os* t**t p*rs* *n* *omp*r* w** p*t*s, s** t** *x*mpl

Reasoning

T** *or* vuln*r**ility st*ms *rom t** int*r**tion **tw**n: *. Synt**ti* no**s *r**t** *urin* optimiz*tion (wit*out prop*r lo**tions) *. *roupIt*r**l*'s lo**tion-**s** sortin* in *orm*t.*o *. *st()'s ****ult lo**tion *ssi*nm*nt T** k*y *ix in *******