x/vulndb: potential Go vuln in github.com/openfga/openfga: GHSA-32q6-rr98-cjqv

[GoVulnBot]

Advisory GHSA-32q6-rr98-cjqv references a vulnerability in the following Go modules:

Module
github.com/openfga/openfga

Description:

Overview

OpenFGA v1.3.8 to v1.8.2 (Helm chart openfga-0.1.38 to openfga-0.2.19, docker v1.3.8 to v.1.8.2) are vulnerable to authorization bypass when certain Check and ListObject calls are executed.

Am I Affected?

You are affected by this authorization bypass vulnerability if you are using OpenFGA v1.3.8 to v1.8.2, specifically under the following conditions:

1. Calling Check API or ListObjects with a model that uses conditions, and
2. OpenFGA is configured with caching enabled (OPENFGA_CHECK_QUERY_CACHE_ENABLED), and
3. Check API c...

References:

• ADVISORY: GHSA-32q6-rr98-cjqv
• ADVISORY: GHSA-32q6-rr98-cjqv

Cross references:

• github.com/openfga/openfga appears in 12 other report(s):
  • data/reports/GO-2022-1079.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2022-39340 #1079)
  • data/reports/GO-2022-1080.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2022-39341 #1080)
  • data/reports/GO-2022-1081.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2022-39342 #1081)
  • data/reports/GO-2022-1099.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2022-39352 #1099)
  • data/reports/GO-2022-1179.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2022-23542 #1179)
  • data/reports/GO-2023-1872.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2023-35933 #1872)
  • data/reports/GO-2023-2028.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: GHSA-jcf2-mxr2-gmqp #2028)
  • data/reports/GO-2023-2084.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2023-43645 #2084)
  • data/reports/GO-2023-2121.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2023-45810 #2121)
  • data/reports/GO-2024-2477.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2024-23820 #2477)
  • data/reports/GO-2024-2729.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2024-31452 #2729)
  • data/reports/GO-2024-3061.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: GHSA-3f6g-m4hr-59h8 #3061)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/openfga/openfga
      versions:
        - introduced: 1.3.8
        - fixed: 1.8.3
      vulnerable_at: 1.8.2
summary: OpenFGA Authorization Bypass in github.com/openfga/openfga
cves:
    - CVE-2024-56323
ghsas:
    - GHSA-32q6-rr98-cjqv
references:
    - advisory: https://github.com/advisories/GHSA-32q6-rr98-cjqv
    - advisory: https://github.com/openfga/openfga/security/advisories/GHSA-32q6-rr98-cjqv
source:
    id: GHSA-32q6-rr98-cjqv
    created: 2025-01-13T20:01:20.357052375Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/642597 mentions this issue: data/reports: add GO-2025-3384