Nixpkgs security tracker
by @LeSuisse Activity log
- Created suggestion
-
@LeSuisse
ignored
4 packages
- openfga-cli
- python312Packages.openfga-sdk
- python313Packages.openfga-sdk
- python314Packages.openfga-sdk
- @LeSuisse accepted
- @LeSuisse published on GitHub
OpenFGA Improper Policy Enforcement
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.5 to v1.11.2 ( openfga-0.2.22<= Helm chart <= openfga-0.2.51, v.1.8.5 <= docker <= v.1.11.2) are vulnerable to improper policy enforcement when certain Check calls are executed. The vulnerability requires a model that has a a relation directly assignable by a type bound public access and assignable by type bound non-public access, a tuple assigned for the relation that is a type bound public access, a tuple assigned for the same object with the same relation that is not type bound public access, and a tuple assigned for a different object that has an object ID lexicographically larger with the same user and relation which is not type bound public access. This vulnerability is fixed in v1.11.3.
References
-
https://github.com/openfga/openfga/security/advisories/GHSA-jq9f-gm9w-rwm9 x_refsource_CONFIRM
-
https://github.com/openfga/openfga/releases/tag/v1.11.3 x_refsource_MISC
Affected products
- ==< 1.11.3
Matching in nixpkgs
Ignored packages (4)
pkgs.openfga-cli
Cross-platform CLI to interact with an OpenFGA server
pkgs.python312Packages.openfga-sdk
Fine-Grained Authorization solution for Python
pkgs.python313Packages.openfga-sdk
Fine-Grained Authorization solution for Python
pkgs.python314Packages.openfga-sdk
Fine-Grained Authorization solution for Python
Package maintainers
-
@jlesquembre José Luis Lafuente <jl@lafuente.me>