CVE-2024-56323
Published: 13 January 2025
Summary
CVE-2024-56323 is a critical-severity Improper Authorization (CWE-285) vulnerability in Openfga Helm Charts. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and patching of flaws like CVE-2024-56323, directly preventing exploitation by upgrading OpenFGA to v1.8.3.
Mandates enforcement of approved authorizations in OpenFGA's Check and ListObjects APIs, directly countering the authorization bypass when conditions and caching are used.
Establishes secure baseline configurations for OpenFGA, such as restricting query caching, to avoid enabling the vulnerable combination of conditions and contextual tuples.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass in public-facing OpenFGA API (Check/ListObjects) directly enables remote exploitation of a public-facing application without authentication.
NVD Description
OpenFGA is an authorization/permission engine. IN OpenFGA v1.3.8 to v1.8.2 (Helm chart openfga-0.1.38 to openfga-0.2.19, docker v1.3.8 to v.1.8.2) are vulnerable to authorization bypass under the following conditions: 1. calling Check API or ListObjects with a model that uses [conditions](https://openfga.dev/docs/modeling/conditions),…
more
and 2. calling Check API or ListObjects API with [contextual tuples](https://openfga.dev/docs/concepts#what-are-contextual-tuples) that include conditions and 3. OpenFGA is configured with caching enabled (`OPENFGA_CHECK_QUERY_CACHE_ENABLED`). Users are advised to upgrade to v1.8.3. There are no known workarounds for this vulnerability.
Deeper analysisAI
CVE-2024-56323 is an authorization bypass vulnerability affecting OpenFGA, an open-source authorization and permission engine. The issue impacts OpenFGA versions from v1.3.8 to v1.8.2, including corresponding Helm chart releases from openfga-0.1.38 to openfga-0.2.19 and Docker images from v1.3.8 to v1.8.2. It occurs specifically when a model uses conditions, the Check API or ListObjects API is called with contextual tuples that include conditions, and OpenFGA is configured with query caching enabled via the OPENFGA_CHECK_QUERY_CACHE_ENABLED setting. The vulnerability is rated critical with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-285 (Improper Authorization).
Attackers can exploit this vulnerability remotely over the network with no required privileges, user interaction, or special conditions beyond the specified configuration. By crafting API requests to the Check or ListObjects endpoints using models and contextual tuples with conditions, unauthenticated attackers can bypass authorization checks when caching is active, potentially gaining unauthorized access to sensitive resources, modifying permissions, or disrupting service availability.
The official advisory recommends upgrading to OpenFGA v1.8.3 to remediate the vulnerability, with no known workarounds available. Additional details are provided in the GitHub Security Advisory at https://github.com/openfga/openfga/security/advisories/GHSA-32q6-rr98-cjqv.
Details
- CWE(s)