{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-23542", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2022-01-19T21:23:53.796Z", "datePublished": "2022-12-20T20:15:16.628Z", "dateUpdated": "2025-04-16T14:43:38.712Z"}, "containers": {"cna": {"title": "OpenFGA Authorization Bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "lang": "en", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/openfga/openfga/security/advisories/GHSA-m3q4-7qmj-657m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openfga/openfga/security/advisories/GHSA-m3q4-7qmj-657m"}, {"name": "https://github.com/openfga/openfga/pull/422", "tags": ["x_refsource_MISC"], "url": "https://github.com/openfga/openfga/pull/422"}, {"name": "https://github.com/openfga/openfga/releases/tag/v0.3.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/openfga/openfga/releases/tag/v0.3.1"}], "affected": [{"vendor": "openfga", "product": "openfga", "versions": [{"version": "= 0.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-12-20T20:15:16.628Z"}, "descriptions": [{"lang": "en", "value": "OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. During an internal security assessment, it was discovered that OpenFGA version 0.3.0 is vulnerable to authorization bypass under certain conditions. This issue has been patched in version 0.3.1 and is backward compatible.\n\n"}], "source": {"advisory": "GHSA-m3q4-7qmj-657m", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:43:46.451Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/openfga/openfga/security/advisories/GHSA-m3q4-7qmj-657m", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/openfga/openfga/security/advisories/GHSA-m3q4-7qmj-657m"}, {"name": "https://github.com/openfga/openfga/pull/422", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/openfga/openfga/pull/422"}, {"name": "https://github.com/openfga/openfga/releases/tag/v0.3.1", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/openfga/openfga/releases/tag/v0.3.1"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-16T14:43:26.471806Z", "id": "CVE-2022-23542", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-16T14:43:38.712Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/openfga/openfga/security/advisories/GHSA-m3q4-7qmj-657m", "name": "https://github.com/openfga/openfga/security/advisories/GHSA-m3q4-7qmj-657m", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/openfga/openfga/pull/422", "name": "https://github.com/openfga/openfga/pull/422", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/openfga/openfga/releases/tag/v0.3.1", "name": "https://github.com/openfga/openfga/releases/tag/v0.3.1", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:43:46.451Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-23542", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-16T14:43:26.471806Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-16T14:43:32.412Z"}}], "cna": {"title": "OpenFGA Authorization Bypass", "source": {"advisory": "GHSA-m3q4-7qmj-657m", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "openfga", "product": "openfga", "versions": [{"status": "affected", "version": "= 0.3.0"}]}], "references": [{"url": "https://github.com/openfga/openfga/security/advisories/GHSA-m3q4-7qmj-657m", "name": "https://github.com/openfga/openfga/security/advisories/GHSA-m3q4-7qmj-657m", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/openfga/openfga/pull/422", "name": "https://github.com/openfga/openfga/pull/422", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/openfga/openfga/releases/tag/v0.3.1", "name": "https://github.com/openfga/openfga/releases/tag/v0.3.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. During an internal security assessment, it was discovered that OpenFGA version 0.3.0 is vulnerable to authorization bypass under certain conditions. This issue has been patched in version 0.3.1 and is backward compatible.\n\n"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285: Improper Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-12-20T20:15:16.628Z"}}}, "cveMetadata": {"cveId": "CVE-2022-23542", "state": "PUBLISHED", "dateUpdated": "2025-04-16T14:43:38.712Z", "dateReserved": "2022-01-19T21:23:53.796Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2022-12-20T20:15:16.628Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openfga:openfga:*:*:*:*:*:*:*:*", "matchCriteriaId": "83D51F01-FDB6-48DB-BD8F-88EE6A5CE24B", "versionEndExcluding": "0.3.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. During an internal security assessment, it was discovered that OpenFGA version 0.3.0 is vulnerable to authorization bypass under certain conditions. This issue has been patched in version 0.3.1 and is backward compatible.\n\n"}, {"lang": "es", "value": "OpenFGA es un motor de autorizaci\u00f3n/permisos creado para desarrolladores e inspirado en Google Zanzibar. Durante una evaluaci\u00f3n de seguridad interna, se descubri\u00f3 que la versi\u00f3n 0.3.0 de OpenFGA es vulnerable a la omisi\u00f3n de autorizaci\u00f3n bajo ciertas condiciones. Este problema se solucion\u00f3 en la versi\u00f3n 0.3.1 y es compatible con versiones anteriores."}], "id": "CVE-2022-23542", "lastModified": "2024-11-21T06:48:46.757", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-12-20T21:15:10.493", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/openfga/openfga/pull/422"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/openfga/openfga/releases/tag/v0.3.1"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/openfga/openfga/security/advisories/GHSA-m3q4-7qmj-657m"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/openfga/openfga/pull/422"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/openfga/openfga/releases/tag/v0.3.1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/openfga/openfga/security/advisories/GHSA-m3q4-7qmj-657m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{}