CVE-2024-56323

MEDIUM Year: 2024
Weakness Type
CWE-285
View all →

Vulnerability Description

OpenFGA is an authorization/permission engine. IN OpenFGA v1.3.8 to v1.8.2 (Helm chart openfga-0.1.38 to openfga-0.2.19, docker v1.3.8 to v.1.8.2) are vulnerable to authorization bypass under the following conditions: 1. calling Check API or ListObjects with a model that uses [conditions](https://openfga.dev/docs/modeling/conditions), and 2. calling Check API or ListObjects API with [contextual tuples](https://openfga.dev/docs/concepts#what-are-contextual-tuples) that include conditions and 3. OpenFGA is configured with caching enabled (`OPENFGA_CHECK_QUERY_CACHE_ENABLED`). Users are advised to upgrade to v1.8.3. There are no known workarounds for this vulnerability.

Related Vulnerabilities

CVE-2020-5206

CRITICAL
CVSS:10.0(Critical)

In Opencast before 7.6 and 8.1, using a remember-me cookie with an arbitrary username can cause Opencast to assume proper authentication for that user even if the remember-me cookie was incorrect give...

CWE-2852020

CVE-2021-31384

CRITICAL
CVSS:10.0(Critical)

Due to a Missing Authorization weakness and Insufficient Granularity of Access Control in a specific device configuration, a vulnerability exists in Juniper Networks Junos OS on SRX Series whereby an ...

CWE-2852021

CVE-2021-37705

CRITICAL
CVSS:10.0(Critical)

OneFuzz is an open source self-hosted Fuzzing-As-A-Service platform. Starting with OneFuzz 2.12.0 or greater, an incomplete authorization check allows an authenticated user from any Azure Active Direc...

CWE-2852021

CVE-2020-3374

CRITICAL
CVSS:9.9(Critical)

A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to bypass authorization, enabling them to access sensitive informat...

CWE-2852020

CVE-2025-29827

CRITICAL
CVSS:9.9(Critical)

Improper Authorization in Azure Automation allows an authorized attacker to elevate privileges over a network.

CWE-2852025