Miggo Logo
Miggo Vulnerability Database
CVE-2022-39340

CVE-2022-39340: OpenFGA subject to Information Disclosure via streamed-list-objects endpoint

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-39340
GHSA ID
GHSA-95x7-mh78-7w2r
EPSS Score
0.31362%
CWE
CWE-285
Published
10/25/2022
Updated
6/27/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/openfga/openfgago<= 0.2.30.2.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from missing authorization interceptors on streaming endpoints. The patch added streaming interceptors in both service configuration (service.go) and server setup (server.go). The original vulnerable versions lacked these interceptors, leaving streaming endpoints like 'streamed-list-objects' unprotected. The functions responsible for configuring interceptors (BuildService and Server.Run) were modified in the fix to include streaming interceptors, confirming their role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Ov*rvi*w *urin* our int*rn*l s**urity *ss*ssm*nt, it w*s *is*ov*r** t**t `str**m**-list-o*j**ts` *n*point w*s not v*li**tin* t** *ut*oriz*tion *****r r*sultin* in t** *is*losur* o* o*j**ts in t** stor*. ### *m I *****t**? You *r* *****t** *y t*i

Reasoning

T** vuln*r**ility st*mm** *rom missin* *ut*oriz*tion int*r**ptors on str**min* *n*points. T** p*t** ***** str**min* int*r**ptors in *ot* s*rvi** *on*i*ur*tion (s*rvi**.*o) *n* s*rv*r s*tup (s*rv*r.*o). T** ori*in*l vuln*r**l* v*rsions l**k** t**s* in