Strix
26.1K

CVE-2023-43645

MEDIUMCVSS 5.9/10EPSS 0.75%

Last modified

CVE-2023-43645 is a medium-severity vulnerability rated 5.9/10 on the CVSS scale. OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA is vulnerable to a denial of service attack when certain Check calls are executed against authorization models that contain circular relationship definitions. EPSS estimates a 0.75% chance of exploitation in the next 30 days.

Description

OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA is vulnerable to a denial of service attack when certain Check calls are executed against authorization models that contain circular relationship definitions. When the call is made, it's possible for the server to exhaust resources and die. Users are advised to upgrade to v1.3.2 and update any offending models. There are no known workarounds for this vulnerability. Note that for models which contained cycles or a relation definition that has the relation itself in its evaluation path, checks and queries that require evaluation will no longer be evaluated on v1.3.2+ and will return errors instead. Users who do not have cyclic models are unaffected.

Metrics

CVSS 3.1
5.9/10

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Probability
0.75%

50.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
OpenfgaOpenfga< 1.3.2

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2023-43645?
OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA is vulnerable to a denial of service attack when certain Check calls are executed against authorization models that contain circular relationship definitions. When the call is made, it's possible for the server to exhaust resources and die. Users are advised to upgrade to v1.3.2 and update any offending models. There are no known workarounds for this vulnerability. Note that for models which contained cycles or a relation definition that has the relation itself in its evaluation path, checks and queries that require evaluation will no longer be evaluated on v1.3.2+ and will return errors instead. Users who do not have cyclic models are unaffected.
How severe is CVE-2023-43645?
CVE-2023-43645 has a CVSS score of 5.9/10 (MEDIUM severity). The EPSS model estimates a 0.75% probability of exploitation in the next 30 days.
How do I fix CVE-2023-43645?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-43645?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST