Home > Vulnerability Database > CVE-2023-43645

Mend.io Vulnerability Database

CVE-2023-43645

Good to know:

Date: September 27, 2023

OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA is vulnerable to a denial of service attack when certain Check calls are executed against authorization models that contain circular relationship definitions. When the call is made, it's possible for the server to exhaust resources and die. Users are advised to upgrade to v1.3.2 and update any offending models. There are no known workarounds for this vulnerability. Note that for models which contained cycles or a relation definition that has the relation itself in its evaluation path, checks and queries that require evaluation will no longer be evaluated on v1.3.2+ and will return errors instead. Users who do not have cyclic models are unaffected.

Language: Go

Severity Score

5.9

Related Resources (4)

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-43645

Url: https://github.com/openfga/openfga/commit/725296025fd81227c89525808652c6acd4a605f6

Url: https://github.com/openfga/openfga/security/advisories/GHSA-2hm9-h873-pgqh

Url: https://www.mend.io/vulnerability-database/CVE-2023-43645

Severity Score

5.9

Weakness Type (CWE)

Loop with Unreachable Exit Condition ('Infinite Loop')

CWE-835

Top Fix

Upgrade Version

Upgrade to version v1.3.2

Learn More

CVSS v3.1

Base Score:	5.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-43645

Good to know:

Date: September 27, 2023

Language: Go

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?