blob: 92bace15e2cbc608421e709a0eacaae8a1bd9dbf [file] [log] [blame]
id: GO-2023-1872
modules:
- module: github.com/openfga/openfga
versions:
- fixed: 1.1.1
vulnerable_at: 1.1.1-0.20230623171216-d180fc3e227f
packages:
- package: github.com/openfga/openfga/pkg/typesystem
symbols:
- New
- NewAndValidate
- TypeSystem.validateNames
- TypeSystem.validateRelationTypeRestrictions
summary: Denial of service in github.com/openfga/openfga
description: |-
OpenFGA is vulnerable to a denial of service attack when certain Check and
ListObjects calls are executed against authorization models that contain
circular relationship definitions.
cves:
- CVE-2023-35933
ghsas:
- GHSA-hr9r-8phq-5x8j
references:
- advisory: https://github.com/openfga/openfga/security/advisories/GHSA-hr9r-8phq-5x8j
- fix: https://github.com/openfga/openfga/commit/087ce392595f3c319ab3028b5089118ea4063452
review_status: REVIEWED