CVE-2022-33082: Denial of service in Open Policy Agent
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.53647%
CWE
Published
7/1/2022
Updated
5/20/2024
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
github.com/open-policy-agent/opa | go | < 0.42.0 | 0.42.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from missing shadowing checks in the AST parser's variable rewriting logic. The commit diff shows a new case was added to handle Call terms in rewriteDeclaredVarsInTerm
, which walks function
call references to detect shadowed variables. Prior to this fix, the compiler would allow shadowing of called functions
in comprehension heads (like input()
| input
:= 1), leading to invalid type conversions (Var
treated as Ref
) during subsequent compilation stages. The panic observed in CVE-2022-33082
occurs when the compiler tries to access operator information from what it expects to be a Ref
but is actually a shadowed Var
.