CVE-2024-23820

OpenFGA DoS

CVSS 5.3 MEDIUMEPSS 0.7%CWE-770

In short

OpenFGA, a permission system, has a bug where repeated calls to ListObjects don't free up memory properly. If an attacker makes many of these calls, the server can run out of memory and crash.

Technical detail

A resource exhaustion vulnerability in OpenFGA's ListObjects function fails to release allocated memory under certain model and tuple configurations, allowing an unauthenticated attacker to trigger denial of service through repeated requests that exhaust server memory and cause termination. The issue is patched in version 1.4.3.

Summary generated and translated by AI from the official description.

OpenFGA, an authorization/permission engine, is vulnerable to a denial of service attack in versions prior to 1.4.3. In some scenarios that depend on the model and tuples used, a call to `ListObjects` may not release memory properly. So when a sufficiently high number of those calls are executed, the OpenFGA server can create an `out of memory` error and terminate. Version 1.4.3 contains a patch for this issue.

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected products

openfga · openfga

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/openfga/openfga/commit/908ac85c8b7769c8042cca31886df8db01976c39 https://github.com/openfga/openfga/releases/tag/v1.4.3 https://github.com/openfga/openfga/security/advisories/GHSA-rxpw-85vw-fx87