x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2024-56323

[GoVulnBot]

Advisory CVE-2024-56323 references a vulnerability in the following Go modules:

Module
github.com/openfga/openfga

Description:
OpenFGA is an authorization/permission engine. IN OpenFGA v1.3.8 to v1.8.2 (Helm chart openfga-0.1.38 to openfga-0.2.19, docker v1.3.8 to v.1.8.2) are vulnerable to authorization bypass under the following conditions: 1. calling Check API or ListObjects with a model that uses conditions, and 2. calling Check API or ListObjects API with contextual tuples that include conditions and 3. OpenFGA is configured with caching enabled (OPENFGA_CHECK_QUERY_CACHE_ENABLED). Users are advised ...

References:

• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-56323
• WEB: GHSA-32q6-rr98-cjqv

Cross references:

• github.com/openfga/openfga appears in 12 other report(s):
  • data/reports/GO-2022-1079.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2022-39340 #1079)
  • data/reports/GO-2022-1080.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2022-39341 #1080)
  • data/reports/GO-2022-1081.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2022-39342 #1081)
  • data/reports/GO-2022-1099.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2022-39352 #1099)
  • data/reports/GO-2022-1179.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2022-23542 #1179)
  • data/reports/GO-2023-1872.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2023-35933 #1872)
  • data/reports/GO-2023-2028.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: GHSA-jcf2-mxr2-gmqp #2028)
  • data/reports/GO-2023-2084.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2023-43645 #2084)
  • data/reports/GO-2023-2121.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2023-45810 #2121)
  • data/reports/GO-2024-2477.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2024-23820 #2477)
  • data/reports/GO-2024-2729.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2024-31452 #2729)
  • data/reports/GO-2024-3061.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: GHSA-3f6g-m4hr-59h8 #3061)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/openfga/openfga
      vulnerable_at: 1.8.3
summary: CVE-2024-56323 in github.com/openfga/openfga
cves:
    - CVE-2024-56323
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-56323
    - web: https://github.com/openfga/openfga/security/advisories/GHSA-32q6-rr98-cjqv
source:
    id: CVE-2024-56323
    created: 2025-01-13T23:01:23.044268354Z
review_status: UNREVIEWED

[zpavlinovic]

Duplicate of #3384