CVE-2024-42473 — HIGH (7.5)

Vulnerability Description

OpenFGA is an authorization/permission engine. OpenFGA v1.5.7 and v1.5.8 are vulnerable to authorization bypass when calling Check API with a model that uses `but not` and `from` expressions and a userset. Users should downgrade to v1.5.6 as soon as possible. This downgrade is backward compatible. As of time of publication, a patch is not available but OpenFGA's maintainers are planning a patch for inclusion in a future release.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Openfga	Openfga	1.5.7

Related Weaknesses (CWE)

CWE-863

References

https://github.com/openfga/openfga/security/advisories/GHSA-3f6g-m4hr-59h8Third Party Advisory

FAQ

What is CVE-2024-42473?

CVE-2024-42473 is a vulnerability with a CVSS score of 7.5 (HIGH). OpenFGA is an authorization/permission engine. OpenFGA v1.5.7 and v1.5.8 are vulnerable to authorization bypass when calling Check API with a model that uses `but not` and `from` expressions and a use...

How severe is CVE-2024-42473?

CVE-2024-42473 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-42473?

Check the references section above for vendor advisories and patch information. Affected products include: Openfga Openfga.