{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-14T17:45:42.194","vulnerabilities":[{"cve":{"id":"CVE-2022-39342","sourceIdentifier":"security-advisories@github.com","published":"2022-10-25T17:15:56.333","lastModified":"2024-11-21T07:18:04.627","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"OpenFGA is an authorization/permission engine. Versions prior to version 0.2.4 are vulnerable to authorization bypass under certain conditions. Users whose model has a relation defined as a tupleset (the right hand side of a ‘from’ statement) that involves anything other than a direct relationship (e.g. ‘as self’) are vulnerable. Version 0.2.4 contains a patch for this issue."},{"lang":"es","value":"OpenFGA es un motor de autorización/permiso. Las versiones anteriores a 0.2.4 son vulnerables a la omisión de la autorización bajo determinadas condiciones. Los usuarios cuyo modelo presenta una relación definida como un conjunto de tuplas (el lado derecho de una declaración \"from\") que implica cualquier cosa que no sea una relación directa (por ejemplo, \"as self\") son vulnerables. La versión 0.2.4 contiene un parche para este problema"}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N","baseScore":5.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":3.6},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-285"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-Other"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:openfga:openfga:*:*:*:*:*:*:*:*","versionEndExcluding":"0.2.4","matchCriteriaId":"6C8497C4-6109-40A8-AA89-E20BF94EB4C2"}]}]}],"references":[{"url":"https://github.com/openfga/openfga/commit/c8db1ee3d2a366f18e585dd33236340e76e784c4","source":"security-advisories@github.com","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/openfga/openfga/releases/tag/v0.2.4","source":"security-advisories@github.com","tags":["Release Notes","Third Party Advisory"]},{"url":"https://github.com/openfga/openfga/security/advisories/GHSA-f4mm-2r69-mg5f","source":"security-advisories@github.com","tags":["Third Party Advisory"]},{"url":"https://github.com/openfga/openfga/commit/c8db1ee3d2a366f18e585dd33236340e76e784c4","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/openfga/openfga/releases/tag/v0.2.4","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Release Notes","Third Party Advisory"]},{"url":"https://github.com/openfga/openfga/security/advisories/GHSA-f4mm-2r69-mg5f","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]}]}}]}