CVE-2022-39340: OpenFGA subject to Information Disclosure via streamed-list-objects endpoint
5.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.31362%
CWE
Published
10/25/2022
Updated
6/27/2023
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/openfga/openfga | go | <= 0.2.3 | 0.2.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from missing authorization interceptors on streaming endpoints. The patch added streaming interceptors in both service configuration (service.go) and server setup (server.go). The original vulnerable versions lacked these interceptors, leaving streaming endpoints like 'streamed-list-objects' unprotected. The functions responsible for configuring interceptors (BuildService and Server.Run) were modified in the fix to include streaming interceptors, confirming their role in the vulnerability.