Nixpkgs security tracker
OpenFGA Improper Policy Enforcement
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.5 to v1.11.2 ( openfga-0.2.22<= Helm chart <= openfga-0.2.51, v.1.8.5 <= docker <= v.1.11.2) are vulnerable to improper policy enforcement when certain Check calls are executed. The vulnerability requires a model that has a a relation directly assignable by a type bound public access and assignable by type bound non-public access, a tuple assigned for the relation that is a type bound public access, a tuple assigned for the same object with the same relation that is not type bound public access, and a tuple assigned for a different object that has an object ID lexicographically larger with the same user and relation which is not type bound public access. This vulnerability is fixed in v1.11.3.
References
-
https://github.com/openfga/openfga/security/advisories/GHSA-jq9f-gm9w-rwm9 x_refsource_CONFIRM
-
https://github.com/openfga/openfga/releases/tag/v1.11.3 x_refsource_MISC
Affected products
- ==< 1.11.3
Matching in nixpkgs
pkgs.openfga
High performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar
pkgs.openfga-cli
Cross-platform CLI to interact with an OpenFGA server
pkgs.python312Packages.openfga-sdk
Fine-Grained Authorization solution for Python
-
nixos-unstable 0.9.5
pkgs.python313Packages.openfga-sdk
Fine-Grained Authorization solution for Python
pkgs.python314Packages.openfga-sdk
Fine-Grained Authorization solution for Python
Package maintainers
-
@jlesquembre José Luis Lafuente <jl@lafuente.me>
-
@nicklewis Nick Lewis <nick@nlew.net>